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FOREWORD 


This  report  involved  the  active  participation  of  the  Policy  Survey  Sub- 
conmittee  members  listed  below: 

Mr.  Frank  M.  McClelland 
National  Communications  Systems 

Mr.  Ronald  C.  Kriston 
Central  Intelligence  Agency 

LtCol  Lawrence  A.  Noble 
Department  of  the  Air  Force 

Mr.  James  E.  Studer 
Department  of  the  Army 

Mr.  Eugene  V.  Epperly 
Office  of  the  Secretary  of  Defense 
Chairman 

It  is  emphasized  that  the  views  and  observations  contained  in  this  report 
represent  the  independent  and  individual  views  of  the  participants,  not  neces¬ 
sarily  the  official  views  of  their  organizations. 

A  report  such  as  this  must  initially  be  written  by  one  person,  and  the 
original  version  was  drafted  by  the  Chairman.  This  was  then  circulated  to 
Subcommittee  members  for  critique,  modification,  and  amendments.  Although 
there  may  remain  some  disagreement  on  minor  points,  the  Subcommittee  members 
concur  with  the  final  version  of  the  report. 


Mr.  Stephen  F.  Barnett 
National  Security  Agency 

LTJG  Sharron  K.  Crowder 
Department  of  the  Navy 

Mrs.  Phoebe  G.  Harper 
Defense  Intelligence  Agency 

Mr.  Gary  E.  Johnson 
Department  of  Treasury 
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EXECUTIVE  SUMMARY 


\  Purpose 

This  report  documents  the  subcommittee's  survey  of  current  Government 
computer  security  policy  documents  at  the  -national  and  Federal  department/agency 
levels.  The  review  was  undertaken  to  Identify  what  policy  exists,  what  It 
addresses,  and  what  responsibilities  are  assigned.  ' 


Approach 

^The  following  criteria  were  established  fpr  "computer  security  policy" 
documents : 

^1.  -They  must  be  authoritative  and  directive  In  nature;  t 

2.  Tfiey  must  reflect  In  content  the  multi-disciplinary,  total 
systems  approach  axiomatic  In  current  computer  security  policy. 


Total  coverage  of  Executive  Branch  agencies  and  departments  (over  70)  was 
deemed  Impractical  -  the  effort  focused  on  fifteen  agencies  that  represented 
over  88i  of  the  Government  ADP  systems  reflected  In  the  GSA  Inventory  and 
Included  the  majority  of  Cabinet-level  departments. 


A  questionnaire  format  was  developed  to  extract  on  a  common  basis  key 
attributes  of  document  policy  coverage,  and  this  was  to  be  completed  by 
subcommittee  members  In  the  Interests  of  reliability  and  consistency.  A  key 
objective  of  the  process  was  to  Identify  national  level  policies  and  authorities. 
Existence  of  policy/ program  oversight  mechanisms  was  Identified  as  a  secondary 
but  very  Important  focus . ^(Section  I,  pp.  1-5). 

Department/ Agency  Policies 

For  the  fifteen  agencies  surveyed,  32  separate  computer  security  policy 
viocuments  (totalling  1,316  pages)  were  obtained  and  reviewed.  These  were 
consolidated  ^nto  27  policy  sets  of  like  scope  and  applicability.  All  fifteen 
agencies  have  pro(.'u1qated  computer  security  policies;  however,  these  varied 
In  approach,  scope  and  apol Icablllty.  Survey  results  reflected  the  historical 
sequence  of  attention  to  computer  security;  631i  of  the  sets  reflected  policies 
Implementing  national  security  Information  protection  requirements.  Other 
frequencies  cited  among  the  27  policy  sets  were:  Privacy  Act,  415;  Transmittal 
Memorandum  No.  1  to  0MB  Circular  A-71 ,  30*;  Intelligence  Special  Access  Programs, 
30?;  National  COMSEC  Directive,  15?;  0MB  Circular  A-108,  11*;  and.  Atomic 
Energy  Act,  7?.  Computer  security  subdisciplines'  frequency  were  reflected 
In  the  sets  as  follows:  Physical  security,  100?;  personnel  security,  96?, 
administrative/procedural  security,  96?;  hardware/ software  security,  96?; 
communications  security,  89?;  and,  emanations  security,  70?.  (Section  II,  pp.  6-9) 


"National"  Level 


A  most  Important  facet  of  the  survey  was  to  identify  higher  level  authorita¬ 
tive  bases  for  computer  security  policies  at  the  department/agency  level. 
Thirteen  documents  forming  5  policy  sets  were  Identified  and  reviewed.  As  an 
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operational  complement  to  policy,  various  program  oversight  mechanisms  were  also 
identified, to  include  the  Legislative  Branch. 

Comprehensive  computer  security  policy,  promulgated  by  the  Office  of 
Management  and  Budgef*  and  supplemented  by  further  Issuances  from  the  Office 
of  Personnel  Management  (0PM),  the  Genera!  Services  Administration  (GSA), 
and  the  National  Bureau  of  Standards,  Department  of  Commerce  (NBS),  was 
revealed.  This  policy  (sunmarlzed  on  pp.  12-14)  Included: 

—  All  Federal  data  and  applications  processed  by  computer  systems 

--  Personal,  proprietary,  and  other  sensitive  data,  to  Include  national 
security  data. 

—  Such  data  and  applications  processed  by  other  systems  on  behalf  of 
Federal  departments  and  agencies,  as  well  as  by  Federal  computer  systems  as 
such. 

Supplementing  policies  In  response  to  0M6  tasking  Include  the  following: 

—  0PM  has  amended  the  Federal  Personnel  Manual 

—  GSA  has  amended  the  Federal  Property  Management  Regulations  and  the 
Federal  Procurement  Regulations 

—  NBS  has  issued  numerous  guideline  publications  and  maintains  an  ongoing 
program  fdr  standards  development. 

Other  national  level  policies  of  narrower  scope  and  applicability  Included 
Implementation  of  classified  information  safeguarding  requirements  Ce.g.,  NATO, 
Intelligence,  and  Atomic  Energy-related  information)  and  of  requirements  for 
personal  information  subject  to  the  Privacy  Act  (Section  III,  pp.  10-H). 

Oversight 

A  significant  amount  of  national  Interest  In  the  oversight  of  Federal 
computer  security  activities  1'  Identified  (e.g..  Senate  Committee  on  Government 
Operations,  GAO,  the  President's  Initiative  on  Fraud  and  Waste,  Information 
Security  Oversight  Office,  Offfl). 

Collectively,  these  have  revealed  significant  problens  In  the  field 
implementation  of  computer  security  policy,  particularly  systems  not  processing 
classified  information  (Section  IV.,  pp.  15-20;  see  also  Appendix  I.). 


•Transmittal  Memorandum  No.  1  to  0MB  Circular  A-71,  Office  of  Management  and 
Budget,  "Security  of  Federal  Automated  Information  Systems,"  July  27,  1978. 

ill 


A  Federal  Aoencv  Perspecflve 


A  section  describing  the  context  and  flow  of  computer  security  policies 
from  higher  levels  Is  included  to  Illustrate,  In  an  agency  organizational 
context,  policy  and  oversight  approaches  taken  and  possible  problems  with 
regard  to  effective  Implementation  of  current  and  future  computer  security 
policy  requirenents.  (Section  V,  pp.  2l*2S). 

Conclusions  and  Recommendations  (Section  VI,  pp.  26-29) 


GAO  noted  that  TM  1  to  0MB  Circular  A-71  "...requires  action  by  top 
agency  managers  which  could  contribute  greatly  to  correcting  many  of  the 
computer  data  security  problems. . .It  sets  an  appropriate  framework  for 
agencies'  Initiatives  to  correct  the  data  security  problem." 


However,  the  Subcommittee  observed  policy  fragmentation  across-the-board 
and  lack  of  cost  effective,  feasible  Implementing  guidance. 

The  foregoing  Indicates  that  a  deeper  level  of  analysis  Is  required  to  focus 
on  those  aspects  of  computer  security  field  Implementation  that  are  susceptible 
to  benefit  from  national  level  attention  and  effort.  Accordingly,  the 
Subcommittee  strongly  and  unanimously  recommends  attention  be  given  to  the 
following  specific  problem  areas  related  to  current  computer  security  policies 
and  field  implementation  thereof: 

1.  The  GAO  Identified  lack  of  too  management  support  In  Federal  Departments 
and  Agencies  (Appendix  I),  to  specifically  Include  the  need  for  the  education 
and  awareness  of  top  management: 

2.  Closely  Interrelated,  the  lack  of  resources .  both  research  and  development 
resources  and  operational  resources,  with  specific  attention  to  the  problem  of 
trained  manpower  and  funding  stability. 

3.  The  problemmatic  nature  of  the  hardware/software  computer  security 
subdisci  pi Ine.  to  specifically  Include  the  development  of  secure  systems  technology, 
security  technical  evaluation  methodologies,  and  recommended  management  and 
operational  mechanlsm(s)  therefor; 

4.  Manifest  requirements  for  means  of  more  effective  Integration  and 
coordination  of  Identified  national  policy  promulgating  activities;  and, 

5.  Generation  of  feasible  and  cost-effective  ImplOTentIng  guidance  for 
various  computer  security  subdisciplines  associated  wit^h  the  implementation  of 
overall  computer  security  policies. 
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I .  INTRODUCTION 

Purpose 

The  purpose  of  this  report  is  to  document  the  survey  of  identified  nation¬ 
al  level  and  Executive  Branch  department  and  agency  computer  security  policies 
as  undertaken  by  the  Policy  Survey  Subcommittee. 

Tasking.  The  subcommittee  was  asked  to  review  current  government  com¬ 
puter  security  policies  at  both  the  national  and  department/agency  levels. 

The  purpose  of  the  review  is  to  identify  what  policy  exists,  what  it  addresses, 
and  what  responsibilities  are  assigned.  The  task,  approach  and  objectives  as 
refined  by  the  subcommittee  are  summarized  in  Figure  1. 

Approach  and  Methodology 

Target  "Universe."  The  survey  "universe"  was  initially  defined  as  the 
major  organizational  elements  of  the  Executive  Branch.  The  United  States 
Government  Manual,  the  official  handbook  of  the  Federal  Government  published 
by  the  General  Services  Administration  (GSA),  lists  over  70  Executive  depart¬ 
ments,  agencies  and  other  establishments  below  the  level  of  the  Executive 
Office  of  the  President.  Total  coverage  was  not  deemed  a  practical  objective. 

In  view  of  time  and  resouce  limitations,  it  was  decided  to  limit  the 
survey  of  Executive  Branch  departments  and  agencies  and  to  concurrently  maxi¬ 
mize  survey  coverage  by  focusing  on  those  entities  operating  the  overwhelming 
preponderance  of  government  AOP  systems,  as  reflected  in  the  GSA  Automatic 
Data  Processing  Equipment  Inventory  In  The  United  States  Government,  April 
1979  edition.  In  view  of  their  relative  importance,  it  was  also  decided  to 
include  all  Executive  Departments  included  in  the  Cabinet,  regardless  of  the 
number  of  computer  systems  each.  (Even  though  HEW  was  disestablished  as  such, 
it  was  considered  one  Executive  Department  for  purposes  of  the  survey,  in  view 
of  the  recency  of  that  action.)  CIA,  DIA,  and  NSA  were  added  since  their 
assigned  computer  security  policy  responsibilities  transcended  their  immediate 
organizations,  and  the  Military  Departments  were  included  separately  by  virtue 
of  the  comparative  size  of  the  organizations  and  their  associated  ADP  programs. 
Basically,  then,  the  survey  initially  was  to  include  26  Executive  departments 
and  agencies,  with  these  organizations  accounting  for  9257  computer  systems 
out  of  the  GSA  total  of  9299,  or  a  coverage  percentage  of  99.5%. 

Subsequent  further  limitations  on  time  and  other  resources  led  to  the 
reduction  of  this  "sample  universe"  to  fifteen  departments  and  agencies  (Figure 
2),  thereby  covering  8237  ADP  systems  in  the  GSA  inventory,  or  over  88.6% 
thereof,  not  including  CIA  or  NSA  ADP  systems,  and  including  seven  of  the 
twelve  Cabinet-level  departments. 

Survey  Focus.  Given  the  task  of  surveying  computer  security  policies, 
the  subcommittee  focused  on  computer  security  documents  as  such.  Rather  than 
include  all  policy  documents  mentioning  computer  security,  it  was  agreed  that 
documents  to  be  reviewed  for  this  survey  must  meet  the  following  criteria: 
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POLICY  SURVEY  SUBCOMMITTEE 

BSK:  REVIEW  FEDERAL  GOVERfIMENT  COMPUTER  SECURITY  POLICIES 

-  TO  IDENTIFY  EXISTING  POLICIES,  SCOPE,  APPLICABILITY  & 
RESPONSIBILITIES 

-  AT  NATIONAL  &  DEPARTM0ITAL  LEVELS 

-  CLASSIFIED  AND  UNCLASSIFIED  INFORMATION 

APPROACH!  QUESTIONNAIRE  SURVEY  OF  SELECTED  NATIONA.L  &  EXECUTIVE  BRANCH 
DEPARTMENT/AGOia  COMPUTER  SECURITY  DOCUMENTS 

-  DOCUMENTS  ADDRESS  COMPUTER  SECURITY  IN  A  COMPREHENSIVE  SENSE 

-  QUESTIONNAIRE  DESIGNED  TO  EXTRACT  KEY  PROGRAM  INDICATORS 

-  DEFINITION  OF  "SAMPLE*  UNIVERSE  TO  FOCUS  ON  PREPONDERANCE 
OF  ADPE  i  CABINET-LEVEL  DEPARTMENTS 

COVERAGE  OBJECTIVES: 

1.  POLICIES 

~  NATIONAL  LEVEL 

~  EXECUTIVE  DEPARTMENT/AGENCY  LEVEL 

2.  PROGRAM  OVERSIGHT  MECHANISMS  (SECONDARY) 

~  NATIONAL  LEVEL 

~  DEPARTMENTAL/AGENa  LEVEL 
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1.  They  must  reflect  in  content  the  overall  multidisciplinary,  total 
systems  approach  that  has  emerged  as  axiomatic  in  computer  security  policy  and 
practice,  to  include  explicitly  the  preponderance  of  the  necessary  subdisci¬ 
plines  that  in  aggregate  represent  the  accepted  approach  to  securing  computer 
systems  in  operational  environments,  as  suggested  in  Figure  3. 

This  criterion  includes  documents  that  in  themselves  do  not  contain 
all  such  subdisciplinary  requirements,  but  explicitly  reference  such  require¬ 
ments  for  implementation,  where  these  requirements  are  promulgated  in  other 
documents  (e.g.,  OoD  Directive  5200.28  and  associated  ADP  Security  Manual 
U>2]  explicitly  refer  to  and  require  implementation  of  communications  secur¬ 
ity  and  emanations  security  requirements  promulgated  genetically  by  separate 
DoD  Directives  on  those  subjects). 

Not  to  be  included  were  documents  that  treated  in  separate  and  stand-alone 
fashion  various  facets  or  aspects  of  computer  system  security  (e.g..  Defense's 
Information  Security  Program  Regulation,  DoD  5200. 1-R  [4],  which  for  ADPE 
includes  only  security  marking  provisions  for  certain  ADP  media). 

2.  They  must  be  directive  in  nature,  authoritatively  imposing  computer 
security  responsibilities  and  requirements  of  a  designated  scope  and  applica¬ 
bility. 


Excluded  by  this  test  were  documents  such  as  National  COMSEC/EM  SEC 
Information  Memorandum  No.  7002,  "COMSEC  Guidance  for  ADP  Systems"  [5],  which 
contains  computer  security  guidelines.  Similarly  excluded  were  a  host  of 
published  National  Bureau  of  Standards  guidelines,  many  of  which  are  enumerated 
at  Appendix  A  [6]. 

Questionnaire  Coverage  and  Scope.  The  approach  decided  by  the  subconanit- 
tee  involved  development  of  a  questionnaire  format  to  be  used  in  reviewing  and 
extracting  relevant  information  from  current  computer  security  policy  documents 
meeting  the  above  criteria.  The  format  (attached  as  Appendix  B  with  associated 
guidance,  and  summarized  in  Figure  4)  was  designed  to  extract  on  a  common 
basis  key  attributes  and  aspects  of  department/  agency  policy  document  coverage. 
The  completed  questionnaire  would  provide  a  policy/program  profile  for  each 
computer  security  policy  document  (or  document  set,  as  noted  below),  and 
questionnaires  cumulatively  considered  would  provide  a  fairly  accurate  general 
indicator  of  computer  security  policy  coverage  both  at  the  Executive  depart¬ 
ment  and  agency  level  and  at  the  Executive  Branch  level. 

A  key  derivative  objective  of  the  department/agency  survey  was  to  identi¬ 
fy  other  potential  national-level  computer  security  policies  in  policy  docu¬ 
ments  not  already  identified  in  the  questionnaire  or  otherwise  obtained  (i.e.. 
Question  //3,  "authoritative  basis(es)  for  policy").  This  aspect  is  deemed 
critical  to  the  overall  issue  concerning  the  extent  to  which  policy  computer 
security  policy  exists  at  the  national  (essentially  meaning  Executive  Branch) 
level  of  the  Federal  Government. 

The  first  three  items  on  the  questionnaire  ("Identification"  and  "Authori¬ 
tative  Bases"  on  Figure  4)  are  followed  by  items  on  applicability  and  scope. 
These  are  considered  essentially  self-explanatory  indicators  where  presence  or 
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QUESTIOWWAIRE  CQVERA.GE 

•  OBJECTIVES:  -  IDENTIFY  EXISTING  POLICY  SOURCES  AT  THE  NATIONAL  LEVEL 

-  DESCRIBE  GENERAL  NATURE  AND  SCOPE  OF  inPLENENTATION 
AT  DEPARTTENT/AGENa  LEVEL 


t  QUESTIONNAIRE  SCOPE: 

-  SOURCE  A  DOCmiENTCS)  IDENTIFICATION 

-  AUTHORITATIVE  BASES 

-  APPLICABILITY  ("IN-HOUSE"  AND/OR  "OUT-HOUSE") 

■  PROTEOm  SCOEE 

-  INFORHATIOH/DATA 

-  SYSTEMS/AREAS/SOFTHARE/  OTHER  SYSTEMS  RESOURCES 

-  LIFE  CYCLE  COVERAGE?  (ADP  SYSTEMS  AND/OR  DATA  SYSTEIE) 

-  SUBDISCIPLINES  INCLUD0 

-  PERSONNEL  SECURITY 

-  PHYSICAL  SECURITY 

-  COMMUNICATIONS  SECURITY 

-  EMANATIONS  SECURITY 

-  ADMINISTRATIVE/PROCEDURAL  SECURITY 
~  HARDNARE/SOFTWARE  SECURITY 


QUESTIONNAIRE  COVERAGE  (CONT'D) 


-  PROGRAM  COMPONENT 


aiakiaj 


I: 


-  ASSIGNMENT  OF  RESPONSIBILITY 

-  MANAGEMENT  CONTROL  PROCESS 

-  DESIGNATED  APPROVING  AUTHORITIES 

~  OVERALL  SECURITY  SPECIFICATIONS/REQUIREMENTS 
~  SECURITY  EVALUATION  REQUIRED  FOR  SYSTEM  OPERATION 
~  AUDIT  OR  OTHER  FOLLOW-UP  SECURITY  EVALUATION 
~  RISK  ANALYSIS  METHODOLOGIES 

-  SECURITY  REQUIREMENTS  FOR  PROCUREMENT 
~  REQUIREMENTS  FOR  CONTINGENCY  PUNNING 

-  PERSONNEL  SCREENING 

-  SPECIFIED  WAIVER  AUTHORITY 

-  REQUIREMENT  FOR  ADP  SECURITY  BUDGET 


-  NUMBER  OF  ADP  SYSTEMS  COVERED 

-  NUMBER  OF  mi 


Kfort  H  (Coat'd) 
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absence  can  be  considered  coverage  attributes  for  a  given  policy  document/ 
computer  security  program.  Similarly  straight  forward  are  the  subdiciplines 
included  (item  6  on  the  questionnaire  at  Appendix  B).  The  last  substantive 
item,  "Program  Component  Elements,"  #7  on  the  questionnaire,  is  an  adoption  of 
the  checklist  developed  to  review  department  and  agency  implementation  plans 
for  the  requirements  imposed  by  Transmittal  Memorandiun  No.  1  to  0MB  Circular 
A-71,  "Security  of  Federal  Automated  Information  System"  [7],  the  most  compre¬ 
hensive  computer  security  policy  document  identified  herein  in  terms  of  organi¬ 
zations  levels,  scope,  applicability  and  system  security  coverage.  Accordingly, 
this  item  in  particular  was  designed  to  reveal  gaps  in  program  policies. 

Questionnaire  Completion.  In  the  interest  of  maximizing  response  consis¬ 
tency  and  reliability,  documents  were  reviewed  and  questionnaires  were  completed 
only  by  members  of  the  subcommittee.  In  furtherance  of  that  goal,  interpretive 
guidance  was  also  developed  and  provided  (included  in  Appendix  B)  prior  to 
completion  of  the  questionnaires. 

Limitations .  The  following  limitations  in  survey  scope,  methodology  and 
coverage  are  specifically  noted  for  the  reader.  First  of  all,  the  survey 
represented  neither  a  random  nor  a  representative  sample.  In  view  of  limita¬ 
tions  in  time  and  resources,  focus  was  upon  coverage  of  those  agencies  repre¬ 
senting  the  preponderance  of  government  computer  systems  as  reflected  in  the 
GSA  inventory.  The  objective  was  not  only  to  indicate  policy  per  se,  but  to 
suggest  relative  degree  of  coverage  within  the  Executive  Branch  in  terms  of 
number  of  systems  included.  Additionally,  documents  obtained  by  the  subcom¬ 
mittee  came  from  personal  contacts  of  the  subcommittee  members  and  from  sub¬ 
committee  members'  files.  Specific  agency  coverage  is  noted  herein.  However, 
while  coverage  is  considered  extensive  by  virtue  of  members'  collective  ex¬ 
perience  in  this  field,  there  may  be  other  national  level  documents  not  here 
included. 

Further,  although  inference  may  be  made  concerning  overall  relative 
quality  of  documents  in  terms  of  indicators  specified,  the  subcommittee  did  not 
attempt  to  directly  address  evaluation  of  national  or  department/agency  com¬ 
puter  security  policy  and  associated  programs.  The  primary  consideration  for 
survey  purposes  was  to  identify  presence  or  absence  of  the  particular  policy 
attribute,  not  even  relative  degree  of  completeness.  For  example,  on  question 
7a(l)  of  the  questionnaire,  a  policy  document  may  assign  program  responsibil¬ 
ity  poorly  (e.g.,  fragmented  assignment  to  multiple  organizational  elements, 
with  no  one  element  having  overall  responsibility),  but  the  document  does 
assign  computer  security  program  responsibilities. 

A  second  very  important  follow-on  facet  of  an  effective  security  program 
is  the  nature  and  extent  of  program  oversight.  An  attempt  was  made  in  this 
survey  to  indicate  these  mechanisms  where  they  are  known  to  exist;  however, 
coverage  thereof  is  incomplete.  Since  some  oversight  activities  have  clearly 
indicated  negative  findings,  promulgating  sound  policy  is  often  just  the  first 
step  in  obtaining  effective  field  implementation. 

Other  aspects  viewed  as  critical  to  the  effective  implementation  of 
government  computer  security  programs  are  not  directly  addressed  in  this 
survey.  Included  here  are  the  relative  degrees  of  higher  level  management 
support,  and  often  correlated  therewith,  relative  allocation  of  resources. 
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both  aaapower  aod  funding.  A  relativ*  measure  of  management  support  may  be 
inferred  from  the  existence  per  se  of  both  department/agency  and  national 
level  policies  and  from  established  oversight  mechanisms;  however,  comparative 
evaluation  of  computer  security  field  implesientation  is  clearly  beyond  the 
scope  of  this  report. 

Report  Organization.  The  following  sections  reflect,  in  sequence: 
results  of  the  survey  of  Executive  Branch  department  and  agency  computer 
security  policy  documents;  similar  treataient  of  policy  documents  identified  at 
the  national/Executive  Branch  level;  description  of  such  oversight  mechanisms 
as  exist  at  Che  national  level  and  have  Co  varying  degrees  concerned  them¬ 
selves  with  computer  security  as  such,  or  in  the  case  of  the  Information 
Oversight  Office,  manifest  Che  intention  and  probable  potential  to  do  so;  and 
a  description  of  higher-lever  policies'  impact  on  one  organization  at  the 
department/agency  level. 

Terminology 

For  purposes  of  this  report,  the  following  definitions  ace  employed. 

First  of  all,  a  policy  is  simply  considered  a  decision  made  in  advance 
and  independent  of  a  specific  instance  or  particular  situation,  which  is 
promulgated  in  an  authoritative,  directive  issuance.  A  security  policy  is 
such  a  decision  that  essentially  contains  the  following  elements; 

1.  Some  asset  or  assets  deemed  to  be  of  value 

2.  Some  perceived  threat  or  set  of  threats  to  the  asset(s) 

3.  Some  vulnerability  or  vulnerabilities  associated  with  the  asset(s) 

4.  A  resultant  risk  scenario  incorporating  the  foregoing,  and 

5.  A  decision  concerning  the  relative  allocation  of  protection  re¬ 
sources  . 

Computer  security  policies  involve  computer  systems  and  the  associated 
information  processed  and/or  functions  performed  as  the  assets  to  be  pro¬ 
tected. 

The  terms,  "computer  system",  "computers"  and  "ADP  system"  as  used  herein 
apply  to  "Automatic  Data  Processing  Equipment"  as  defined  in  the  Automatic 
Data  Processing  Equipment  Inventory  in  the  United  States  Government,  published 
by  the  General  Services  .Administration  (CSA)  [8),  to  specifically  include 
associated  equipment*  (i.e.,  computers  plus  auxiliary  and  accessorial  equip¬ 
ment),  facilities,  personnel,  software,  data  and  procedures. 


*Recent  General  Services  Administration  commodity  decisions  have  resulted  in 
the  reclassification  of  the  majority  of  word  processing  equipment  into  Federal 
Supply  Classification  Group  70,  "General  Purpose  Automatic  Data  Processing 
Equipment."  Some  computer  security  policy  documents  have  begun  to  include 
word  processing  systems  and  equipment  (e.g.,  [I3|). 


5 


"Ag«ncy"  Is  here  used  as  In  3  U.S.C.  322(e),  meaning  any  executive  depart¬ 
ment,  military  department.  Government  corporation.  Government-controlled  corp¬ 
oration  or  other  establishment  In  the  Executive  Branch  of  Che  Government  * 
(Including  the  Executive  Office  of  Che  President  or  any  Independent  regulatory 
agency)  [9]. 

"Classified  Information"  means  Information  and  material  determined  to 
require  protection  against  unauthorized  disclosure  In  the  Interest  of  national 
security  (l.e.,  Che  national  defense  and  foreign  relations  of  the  United 
States)  and  designated  a  level  of  classification  pursuant  to  Executive  Order 
1206S[l0]  or  prior  order,  or  classified  as  provided  In  the  Atomic  Energy  Act 
of  1934,  as  amended. 
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II.  EXECUTIVE  BRANCH  DEPARTMENT  AND  AGENCY  POLICIES 


As  noted,  the  documents  reviewed  for  this  survey  were  limited  to  only  those 
that  authoritatively  treated  computer  security  in  an  essentially  wholistic 
sense  (i.e.,  overall  focus  on  computer  systems  and/or  automated  data  and 
applications,  as  well  as  inclusion  of  the  multiple  computer  security  subdis¬ 
ciplines  noted  above).  This  has  included  both  documents  specifically  on  com¬ 
puter  security  (e.g.,  DoD  Directive  5200.28  (1])  as  well  as  sections  or  parts 
of  larger  documents  that  meet  the  previously  stated  criteria  as  essentially 
comprehensive  computer  security  documents  in  themselves  (e.g..  Part  6  on  computer 
security,  which  is  a  section  of  HEW’s  ADP  Systems  Manual  [11],  or  Agriculture's 
"ADP  Security  and  Privacy"  chapter  of  their  "Departmental  Information 
Processing  Standards  Manual"  [12]). 

The  following  tabulated  results,  which  are  derived  from  survey  of  the  cited 
Executive  Branch  Agencies  and  Departments,  involved  the  review  of  32  separate 
documents  (listed  in  Appendix  C).  However,  in  some  cases  more  than  one 
document  constituted  a  single  policy  set  of  the  same  scope  and  applicability. 

In  such  cases,  one  questionnaire  was  completed  for  both  documents.  An 
example  is  DoD  Directive  5200.28  and  its  companion,  amplifying  ADP  security 
manual,  DoD  Manual  5200. 28-M.  Accordingly,  the  Department/ Agency  "data  base" 
of  questionnaires  consists  of  27  questionnaires,  reflecting  32  documents 
reviewed.  All  of  these  were  formally  promulgated  policies,  except  for  one 
proposed  draft,  and  they  totaled  1,316  pages. 

Results 

A  summary  questionnaire,  reflecting  both  numerical,  cumulative  positive 
responses,  as  well  as  respective  percentages  thereof  from  the  total  number 
of  department/agency  questionnaires,  is  attached  as  Appendix  D. 

Authoritative  Bases.  Sixty-three  percent  of  the  questionnaires  reflected 
policies  in  implementation  of  national  security  information  protection 
responsibilities  assigned  by  Executive  Order  12065.  Additional  authoritative 
bases  associated  with  national  security  information  and  the  percentage  of 
positive  responses  are  the  following: 

Atomic  Energy  Act  of  1954,  TJ 

Special  Access  Programs  for  Intelligence  (E.O.  12036,  OCID  No.  1/16),  30% 
E.O.  10865,  "Safeguarding  Classified  Information  within  Industry",  15% 

E.O.  12036  as  such,  7% 

National  Communication  Security  Directive,  15% 

Authority  for  unclassified  information  included  the  following: 

Privacy  Act  of  1974,  41% 

The  related  0MB  Circular  A- 108,  UJ 
Transmittal  MesK)  to  0MB  Circular  A-71,  30% 

Records  exempt  from  disclosure  under  the  Freedom  of  Information  Act,  7J 

Others  no«ed  with  only  one  positive  response  are  identified  in  the 
sumsMry  questionnaire  (Appendix  0). 
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Applicability.  Twenty-five  of  the  questionnaries ,  or  93%.  reflected  documents 
applying  to  the  originating  department  of  agency  and  its  components  and  facili¬ 
ties.  Twenty-three,  or  85%.  further  applied  in  some  fashion  to  department/ 
agency  contractors.  (NOTE:  Many  of  these  agencies  participated  in  the  Defense 
Industrial  Security  Program  which  covers  all  contractors  handling  classified 
information  except  when  the  AOP  systems  are  agency  owned  and  controlled  and  are 
located  on  agency  premises,  but  contractor  operated  —  in  this  case,  the  agency 
vice  the  Industrial  Security  Manual  [13]  may  prescribe  required  security 
measures) . 

Scope.  For  information/ data  included  within  the  policy  documents  positive 
responses  were  the  following: 

Classified  National  Security  Information,  78% 

Unclassified  "National  Security  Related  Information",  30% 

Personal  Information  Related  to  Individuals  ("Privacy"),  59% 

Other  agency/ department  "Sensitive  Information  and  Records",  52% 

Other  attributes  of  policy  scope  included  the  following: 

ADP  systems  (i.e.,  "Automatic  Data  Processing  Equipment",  including 
computers  and  auxiliary  or  accessorial  equipment  such  as  I/O  devices 
and  coonunications  equipment) ,  100% 

Areas  housing  ADP  systems  and  their  components,  82% 

Computer  Programs  (i.e.,  software),  89% 

Other  ADP  resources  and  supplies,  63% 

Responses  concerning  policies  that  generally  contained  security  requirements 
pertaining  to  the  entire  life  cycle  were  as  follows: 

ADP  or  computer  systems  specified,  85% 

Individual  data/application  systems,  63% 

Coaiputer  Security  Subdisciplines.  Responses  here  include  requirements  that 
may  be  enumerated  in  a  separate  document  but  are  specifically  cited  as  policy 
requirements;  for  example,  the  computer  security  policy  document  requires 
personnel  security  or  communication  security  actions  set  forth  in  a  referenced, 
separate  document.  Results  are  as  follows: 

Personnel  security,  96% 

Physicial  Security,  100% 

Communications  security,  89% 

Emanations  security,  70% 

Administrative/Procedural  security,  96% 

Hardware/ software  security,  96% 

'  Program  Coaiponent  Elements .  Positive  questionnaire  responses  concerning 
various  elements  of  agency/ department  computer  security  policies  and  associated 
programs  are  as  follows: 
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a.  Assignment  of  Responsibility; 

(1)  For  computer  security  within  the  Agency  or  Department 
(i.e.  specification  of  a  headquarters  staff  element 
as  responsible  for  policy  promulgation  and  program 
oversight) ,  96% 

(2)  For  specific  AOP  systems  or  ADP  installations  (e.g. 

Appointment  of  ADP  System  Security  Officers),  93% 

b.  Management  Control  Process  to  assure  that  administrative,  physical, 
technical  and  other  safeguards  are  included  in  agency  computer  systems;  96% 

c.  Formally  designated  approving  authority  for  the  security  aspects  of 
covered  ADP  systems;  78% 

d.  Overall  security  specifications/requirements;  85% 

e.  Review,  test  and/or  evaluation  required  as  a  basis  for  system  approval 
for  operation;  74% 

£.  Audit  or  other  follow-up  system  or  program  security  evaluations;  78% 

g.  Risk  Analysis  or  Risk  Assessment  methodologies;  70% 

h.  Security  Requirements/Specifications  Applicable  to  Procurement  (i.e. 
equipment,  systems  or  related  services);  74% 

i.  Requirements  for  Contingency  Planning;  67% 

j.  Personnel  Screening  Requirements;  78% 

k.  Specification  of  an  authority  to  grant  waivers;  56% 

l.  Requirement  to  specify  an  ADP  security  budget;  15% 


Summa  ry  Comments 


Of  the  fifteen  Executive  Branch  departments  and  agencies  surveyed,  all 
had  some  computer  security  policy  promulgated.  Within  that  number,  however, 
there  are  manifest  differences  in  approaches  (e.g.  one  omnibus  document  or 
separate  documents  associated  with  separate  authorities),  scope  and  applic¬ 
ability. 


Authoritative  Bases  as  distributed  appear  to  follow  the  historical 
sequence  of  various  communities’  concern  with  the  subject.  The  area  of 
classified  national  security  information  was  the  first  known  to  give 
serious  concern,  and  the  first  computer  security  policy  documents  known 
emerged  here  e.g.,  DoD  Directive  5200.28  in  1972.  Reflecting  that  sequence, 
the  greatest  number  of  positive  responses  (63%)  are  associated  with  Executive 
Order  12065,  "National  Security  Information,"  [10]  the  omnibus  E.O.  charging 
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protection  of  classified  national  security  information  (this  would  include 
E.O.  12065 's  predecessors).  Second  most  frequently  cited  authority  is  the 
Privacy  Act  of  1974  (41%)  and  associated  0MB  Circular  A-108  [9],  "Respons¬ 
ibilities  for  the  Maintenance  of  Records  About  Individuals  by  Federal  Agencies." 
Third  is  the  most  recent  Executive  directive  in  this  area,  which  includes  all 
classified  and  nonclassified  information.  Transmittal  Memorandum  No.  1  to  0MB 
Circular  A-71,  issued  in  1978  [7]  (30%  positive  responses). 

It  would  be  expected  that  this  last  percentage  will  increase  over  time, 
based  on  past  experience.  For  example,  DoD  Component  implementing  documents 
for  DoO  Directive  5200.28  required  about  two  years  for  development,  staffing 
and  review  —  this  was  development  of  subordinate  echelons'  policy  documents 
only,  not  the  establishment  of  effective  implementing  programs  in  the  field  — 
and  the  scope  and  applicability  of  OoO  Directive  5200.28  is  in  many  aspects 
substantially  narrower  than  TM  1  to  0MB  Circular  A-71. 


10 


III.  "NATIONAL"-LEVEL  COMPUTER  SECURITY  POLICIES 

Perhaps  the  most  sigaificanc  facet  of  the  subcommittee's  efforts  relative 
to  the  primary  purposes  of  the  parent  Computer  Security  Working  Group  was  a 
derivative  effort,  through  the  survey  of  departmental  and  agency  policy  docu¬ 
ments,  to  identify  applicable  national  issuances  meeting  the  selection  criteria 
set  forth  earlier.  It  is  also  a  facet  most  directly  related  to  the  associated 
NCSC  proposal  cited  initially  here.  A  diverse  set  of  such  existing  policies 
were  revealed,  ranging  from  some  of  quite  narrow  scope  to  the  0MB  policy 
requireoMnts  below  which  are  very  broad  in  scope  (i.e.,  all  Federal  department/ 
agency  data  and  applications  processed  by  computer,  to  include  contractor 
activities  effected  on  behalf  of  a  department  or  agency). 

National  Security  Information 

Historically,  computer  security  policies  first  emerged  in  various  func¬ 
tional  areas  where  the  handling  of  classified  national  security  information 
was  involved.  As  noted  in  the  preceeding  department/agency  survey  results, 
the  most  commonly  cited  authoritative  basis  for  an  agency  policy  (63%)  was 
Executive  Order  12065  1 10]  or  its  predecessors  (e.g.,  E.O.  11652,  1972;  E.O. 

10501,  1953,  and  so  on),  although  none  of  these  Executive  Orders  qualify  as 
"computer  security  policy  documents"  as  defined  herein.  In  implementing  the 
basic  charge,  however,  some  agencies  have  developed  computet  security  policy 
dealing  with  national  security  information  in  the  ADP  environment  and  so  have 
authorities  for  various  types  of  Special  Access  Program  information.  The 
former  are  covered  in  the  previous  section,  the  latter  include  the  following: 

NATO  -  The  Secretary  of  Defense  functions  as  U.S.  Security  Authority  for 
NATO  Affairs  (USSAN) ,  and  the  U.S.  complies  with  securoty  requirements  for  the 
protection  and  handling  of  NATO  classified  information  by  virtue  of  interna¬ 
tional  treaty. 

These  are  implemented  by  USSAN  Instruction  1-69,  "Implementation  of  NATO 
Security  Procedure  (U),"  (CONFIDENTIAL),  which  in  turn  ioiplements  NATO  RESTRICED 
Document  C-M(SS) IS(Final) ,  "Security  Within  the  North  Atlantic  Treaty  Organization," 
March  8,  1955,  as  amended.  Enclosure  "C"  to  the  latter  document  contains  a 
Section  X,  "Protection  of  Classified  Information  Handled  and  Stored  in  Automatic 
Data  Processing  Systems"  that  applies  to  NATO  commands  and  agencies  as  well  as 
member  nations  [IS],  including  the  U.S.,  that  use  NATO  classified  information, 
including  ADP  systems  used  solely  for  communications  purposes.  Also  included 
therein  are  special  restrictions  on  the  use  of  U.S.  Special  Access  Program 
information  (i.e.,  "US  SIOP"). 

Intelligence  -  The  Director  of  Central  Intelligence  has  promulgated 
computer  security  policies  for  the  protection  of  "intelligence  information" 

(i.e.,  foreign  intelligence  and  foreign  counterintelligence  as  defined  in 
Section  4,  Executive  Order  12036,  and  as  classified  under  the  provisions  of 
Executive  Order  12065)  involving  sensitive  intelligence  sources  and  methods. 

The  basic  Director  of  Central  Intelligence  Directive  and  associated  "Computer 
Security  Regulation"  set  forth  computer  security  policy  requirements  for  ADP 
systems  and  networks  that  process  "intelligence  information"  and  apply  to  both 
government  and  contractor  ADP  systems  and  networks.  Excluded,  however,  are  ADP 
systems  and/or  networks  that  are  used  exclusively  for  telecommunications  services. 
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Programs  for  Governmeat  Classified  Contracts 

Defense  Industrial  Security  Program.  By  virtue  of  the  number  of  depart¬ 
ments  and  agencies  included  and  an  authoritative  basis  provided  by  Executive 
Order  10865  [16],  the  Defense  Industrial  Security  Program  approaches  an  Execu¬ 
tive  Branch-level  computer  security  program. 

The  Program  is  administered  by  the  Defease  Department  on  behalf  of  sixteen 
other  Executive  Branch  agencies  in  addition  to  the  DoD  components.  It  is 
based  on  a  "one  face  to  industry"  approach,  established  under  the  Executive 
Order  in  recognition  of  the  conflicts  and  lack  of  uniformity  that  would  result 
if  each  agency  developed  itj  own  Industrial  security  program.  Accordingly, 
the  E.O.  specifically  provided  for  the  extension  of  the  DoD  program  to  include 
other  Federal  agencies  (Figure  5). 

Program  policies  meet  the  computer  security  policy  document  test  herein 
and  are  primarily  contained  in  Section  XIII  of  the  "Industrial  Security  Manual 
for  Safeguarding  Classified  Information,"  DoD  Manual  5220. 22-M,  April  1980 
[131. 


The  computer  security  policies  included  in  the  program  are  of  relatively 
long  standing  (efforts  to  develop  computer  security  training  for  DoD  Industrial 
Security  inspectors  began  in  1969) ,  and  the  most  recent  addition  has  been 
adoption  of  interim  security  requirements  for  word  processing  systems  and 
equipment  (pending  formal  coordination  and  final  approval). 

Other  Agency  Programs .  Of  the  fifteen  agencies  reviewed  by  this  survey, 
all  are  included  within  the  DISP  but  Department  of  Energy,  Nuclear  Regulatory 
Commission  and  the  CIA.  Each  of  these  have  analogous  policies  and  programs 
for  inspection  and  approval  of  contractor  facilities  (e.g.,  [18  &  19]).  There 
are  also  similar  industrial  programs  for  Special  Access  Program  information, 
such  as  DIA' s  [20] . 

Personal  Information  Subject  to  the  Privacy  Act 

The  Privacy  Act  of  1974  (Public  Law  Mo.  93-579,  5  U.S.C.  55a)  is  imple¬ 
mented  within  the  Executive  Branch  primarily  through  Office  of  Management  and 
Budget  (0MB)  Circular  No.  A- 108,  "Responsibilities  for  the  Maintenance  of 
Records  About  Individuals  by  Federal  Agencies,"  as  amended  [9]  (i.e.  Trans¬ 
mittal  Memorandum  No.  5  to  0MB  Circular  A-108,  August  3,  1978).  The  Circular 
defines  responsibilities  for  implementing  the  Privacy  Act  "to  assure  that 
personal  information  about  individuals  collected  by  Federal  agencies  is  limited 
to  that  which  is  legally  authorized  and  necessary  and  is  maintained  in  a 
manner  which  precludes  unwarranted  intrusions  upon  individual  privacy." 

Relative  to  this  report,  the  Circular  applies  to  all  Federal  agencies  and 
requires  the  head  of  each  agency  to  "establish  reasonable  administrative, 
technical,  and  physical  safeguards"  for  protecting  personal  information  sub¬ 
ject  to  the  Act,  to  include  such  information  handled  by  ADPE,  and  such  infor¬ 
mation  handled  by  government  contractors . 

Specific  tasking  associated  with  the  computer  environment  included  the 
following: 
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—  The  Secretary  of  Convnerce  was  tasked  to  issue  standards  and  guidelines 
on  cooaputer  and  data  security;  and, 

tne  Administrator  of  General  Services  was  tasked  to  "revise  computer 
and  telecommunications  procurement  policies  to  provide  that  agencies  must 
review  all  proposed  equipment  and  services  procurements  to  assure  compliance 
with  applicable  provisions  of  the  Act;  e.g..  Report  on  New  Systems." 

Omnibus  Policy  --  The  0MB  Federal  Computer  Security  Program 

In  announcing  establishment  of  a  Federal  computer  security  program  (TM  1 
to  0MB  A-71  [7])  in  July  1978,  0MB  Director  McIntyre  said,  "Computer  technology 
now  impacts  almost  every  facet  of  American  life.  The  protection  of  the  techno- 
logy  against  unwarranted,  unauthorized  and  illegal  uses  is  a  major  challenge. 

This  program  addresses  chat  challenge  in  the  Federal  community"  (emphasis  added) 
TITT.  The  scope,  applicability  and  ocher  attributes  of  the  program  are  described 
below. 

QMB  Computer  Security  Program  Minimum  Requirements.  The  OMB-directed  computer 
security  program  requires,  "at  a  minimum",  each  Federal  department  and  agency 
Co: 


-  Assign  responsibility  for  the  security  of  each  computer  installation 
operated  by  or  on  behalf  of  the  agency  to  a  management  official  knowledgeable 
in  data  processing  and  security; 

*  Establish  personnel  security  policies  for  all  Federal  and  contractor 
personnel  involved  in  the  design,  operation,  or  maintenance  of  or  having  access 
to  data  in  Federal  computer  systems; 

-  Establish  a  management  control  process  to  assure  that  appropriate 
administrative,  physical  and  technical  safeguards  are  incorporated  into  all 
new  computer  applications  and  significant  modifications  to  existing  applica¬ 
tions  (for  applications  deemed  "sensitive,”  this  includes:  prior  definition 
and  approval  of  security  specifications  and  the  conduct,  approval  and  certifi¬ 
cation  of  design  reviews  and  application  systems  tests); 

-  Conduct  periodic  risk  analyses  for  each  computer  installation  operated 
by  or  on  behalf  of  the  agency  (at  least  every  five  years); 

-  Assure  that  appropriate  security  requirements  are  included  in  the 
specifications  for  the  acquisition  or  operation  of  computer  facilities  or 
services  (above-cited  management  official  must  review,  approve  and  certify  the 
sufficiency  of  these  requirements); 

-  Conduct  independent  periodic  audits  or  evaluations  snd  recertify  the 
adequacy  of  the  securi'ty  safeguards  of  each  operational  sensitive  application 
(at  least  every  three  years);  and, 

*  Assure  that  appropriate  coctingency  plans  are  developed  and  maintained 
to  provide  for  continuity  of  operations  should  events  occur  which  prevent 
normal  operations;  periodically  review  and  test  these  plans. 
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QMB  Tasking  for  Additioaal  Requirements.  ‘In  support  of  the  program,  0MB  has 
further  tasked  the  following  agencies  as  indicated  below; 

-  The  Department  of  Commerce  to  develop  and  issue  comuter  system  security 
standards  and  guidelines; 

-  The  General  Services  Administration  to  issue  policies  and  requlations 
for  the  physical  security  of  computer  roomd  and  assure  that  securoty  require¬ 
ments  are  included  in  agency  procurements;  and, 

-  The  Office  of  Personnel  Management  to  establish  personnel  security 
policies  for  Federal  personnel  associated  with  computer  systems. 

Supplemental  Central  Agency  Policy 

Pursuant  to  the  above  0MB  tasking,  the  Office  of  Personnel  Management  (0PM) 
has  already  promulgated  Federal  personnel  security  policies  in  this  area,  and 
the  General  Services  Administration  (GSA)  has  apparently  fulfilled  their  task¬ 
ing.  National  Bureau  of  Standards,  Department  of  Commerce,  has  published  a 
substantial  number  of  computer  security  guidelines  (Appendix  A)  and  is  engaged 
in  standards  development  efforts. 

Office  of  Personnel  Management.  On  November  14,  1978,  0PM  issued  their 
Federal  Personnel  Manual  Letter  732-7,  "Personnel  Security  Program  for  Posi¬ 
tions  Associated  with  Federal  Computer  Systems  (22)  (subsequently  incorporated 
into  the  Federal  Personnel  Manual) .  Pursuant  to  responsibilities  assigned  by 
TM-1,  0MB  A-71,  the  bulletin  was  the  first  step  in  establishing  personnel 
security  policies  for  screening  all  individuals  participating  in  the  design, 
operation  or  maintenance  of  Federal  computer  systems  or  having  access  to  data 
in  Federal  computer  systems,  to  include  both  Federal  employees  and  contractor 
personnel.  0PM  Bulletin  No.  732-2,  January  11,  1980  further  set  forth  autho¬ 
rities  for  investigating  contractor  personnel  and  procedures  for  requesting 
such  investigations  from  0PM  [23]. 

With  regard  to  Federal  employees,  the  0PM  guidance  established  criteria 
for  designating  personnel  position  sensitivity  "to  be  viewed  separately,  but 
in  addition  to  the  more  traditional  relationship  to  the  national  security"  as 
currently  employed  under  E.O.  10450  [24] . 

General  Services  Administration.  GSA  actions  included  amendments  to  the 
following  documents; 

--  Federal  Property  Management  Regulations.  Amendments  (FPMR  Amendment 
F-42  [25])  have  been  published  in  August  1980.  The  amendment  to  FPMR  Part 
101-35*  provides  government-wide  security  management  guidance  for  the  protec- 


*Specif ically  noted  by  the  Subcommittee  is  a  conflict  between  provisions  of 
the  FPMR  part  cited  and  the  provisions  of  Presidential  Directive/NSC-24, 
Subject:  "Telecommunications  Protection  Policy  (U),"  as  revised  February  9, 
1979,  with  regard  to  authority  and  jurisdiction  in  the  area  of  telecommunica¬ 
tions.  Another  conflict  of  authorities  from  separate  policies  is  identified 
on  page  25. 
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tioa  of  ADP  and  teleconaunication  syaCeaa  and  facilities.  This  new  subpart  ' 
contains  the  policy  provision  that  "Federal  agencies  shall  insure  that  an 
adequate  level  of  security  is  provided  for  all  AOP  and  teleconsmnication 
systeas  and  services,  including  those  provided  by  contractors,"  and  then 
defines  and  describes  associated  requireaents  and  responsibilities.  The 
saendaents  to  subpart  101-36.7.  "Environawnt  and  Physical  Security,"  provide 
guidelines  to  Federal  agencies  on  the  environaental  and  physical  security  of 
ADP  facilities. 

— >  Federal  Procureaent  Regulations.  Aawndaents  (FPR  Aaendaent  210)  [26] 
published  in  October  19S0  included  the  following  pertinent  to  cosiputer  security: 

Section  1-4.1104  added  the  requireoient  that  agencies'  cosiputer  security 
requireaents  be  included  in  agencies'  procureaent  requests  to  6SA. 

Section  1-4.1107-21  prescribes  Govemswnt  coaputer  security  requireaents 
in  connection  with  solicitations,  contracts,  and  contract  adainistration. 

The  foregoing  desMnstrates  the  existence  of  Federal  coaputer  security 
policies  and  associated  prograas.  The  aost  critical  one  of  these,  however, 
is  the  policies,  responsibilities  and  prograa  established  by  QHB  under  the 
auspices  of  Executive  Branch  iapleaentation  of  portions  of  the  Brooks  Act 
(i.e.,  OMB  Circular  A-71  as  such): 

"This  includes  responsibility  for  the  establishaent  of  physical, 
adainistrative  and  technical  safeguards  required  to  adequately 
protect  personal,  proprietary  and  other  sensitive  data  not  sub¬ 
ject  to  national  security  regulations,  as  well  as  Mtional 
security  data"  (esqihasis  added)  (Paragraph  4.,  [7]). 

The  requireaent  to  effectively  integrate  nuaerous  relatively  independent 
prograsu  becoaes  even  aore  aanifest  when  one  considers  the  contractor  arena  in 
conjunction  with  the  prograas  snuaerated  above.  The  Industrial  Security  Pro¬ 
graa  alone  precludes  industry  froa  having  to  deal  with  seventeen  or  aore 
separate  prograsu  in  the  classified  arena.  Industry  has  expressed  concern  with 
this  happening  in  iapleaentation  of  TM-1  to  A-71,  and  the  saae  concern  with 
regard  first  to  OPH  policies  iapleaenting  TH-1  proapted  the  Assistant  Secretary 
of  Oefnue  (Cos^troller)  to  suggest  to  OHB  that  iapleaentation  of  the  contrac¬ 
tor  eaployee  personnel  security  requireaents  of  TH-l  be  carried  out  by  auans  of 
a  aodification  of  the  existing  Industrial  Security  Prograa,  to  coordinate  and 
effect  unifosa  iapleaentation.  The  saae  rationale  could  be  said  to  apply  for 
the  further  extension  of  the  Industrial  Security  Prograa' s  current  nation-wide 
cspebilities  for  the  on-site  inspection  and  approval  of  contractor  ADP  systems 
ia  tha  broadest  sense. 
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IV.  NATIONAL  COMPUTER  SECURITY  POLICY  &  PROGRAM  OVERSIGffT 


As  suggested  above,  pronulgatioa  of  computer  security  policy  is  step  oue 
ia  achieving  the  end  result  —  acceptably  secure  operating  computer  systems. 
While  the  identification  of  policy/program  oversight  and  monitorship  was  not 
an  explicit  charge  of  the  subcommittee,  such  activities  were  duly  noted  during 
the  course  of  the  survey,  along  with  the  manifest  fact  that  these  activities 
often  detail  clearly  negative  findings  with  regard  to  implementation  in  the 
field  of  already  established  policy.  Accordingly,  in  at  least  large,  complex 
organisations,  such  formal  oversight  activities  are  deesied  requi red  for  essen¬ 
tial  feedback  on  policy  implementation,  particularly  as  a  basis  for  effecting 
corrective  action. 

There  follows  a  summary  of  oversight  activities  and  related  attention  to 
the  specific  problem  of  computer  security  in  its  various  facets  —  this  summary 
clearly  indicates  that  concern,  including  concern  transcending  the  Executive 
Branch,  exists  and  that  computer  security  policy  oversight  mechanisms  at  the 
Executive  Branch/ national  levels  likewise  are  in  place  and  operating,  as  a 
complement  to  promulgated  policy.  The  sequence  of  highlighted  activities  is 
summarized  in  Figure  6.  However,  no  attempt  is  made  to  evaluate  the  compara¬ 
tive  effectiveness  or  other  attributes  of  these  mechanisms,  singly  or  in 
combination. 

The  Congress  &  The  General  Accounting  Office 

Interest  ia  computer  security  matters  by  the  Congress  has  stemmed  from 
broader  concern  for  the  effective  management  of  cos^uter  and  information 
resources  (e.g.  enactment  of  the  1965  Brooks  Act,  P.L.  89-306),  and  the  growing 
awareness  over  the  past  decade  of  the  value  and  sensitivity  of  Federal  AOP 
programs  and  services.  The  Privacy  Act  of  197A  (P.L.  93-567)  was  an  early 
milestone  in  the  1970 's  that  specified  protection  of  personal  data,  and  since 
many  Federal  personnel  and  other  data  systems  with  personal  data  are  automated, 
the  Act  led  to  increased  emphasis  on  the  use  of  computer  security  measures  per 
se. 


1976  GAO  Reports.  More  comprehensive  concern  for  computer  security  as 
such  was  focused  by  the  publication  of  three  reports  on  facets  of  computer 
security  in  the  Spring  of  1976  by  the  General  Accounting  Office  (GAO) ,  an 
investigative  and  auditing  arm  of  the  Congress.  These  were  "Improvements 
Needed  in  Managing  Automated  Decisionmaking  by  Computers  Throughout  the  Federal 
Govenunent,"  April  23,  1976  [27];  "Computer-Related  Crimes  in  Federal  Programs," 
April  27,  1976  [28];  and,  "Managers  Need  to  Provide  Better  Protection  for 
Federal  Automatic  Data  Processing  Facilities,”  May  10,  1976  [29]. 

Senate  Staff  Studies.  Shortly  thereafter,  the  Chairman  of  the-then 
Senate  Committee  on  Government  Operations  (now  Senate  Committee  on  Governmental 
Affairs),  Senator  Ribicoff,  announced  that  he  had  directed  the  Committee  staff 
to  conduct  a  preliminary  inquiry  into  the  problems  associated  with  the  areas 
highlighted  by  GAO.  The  Committee  subsequently  issued  two  studies  dealing 
with  computer  security.  The  first,  entitled  "Problems  Associated  with  Computer 
Technology  in  Federal  Programs  and  Private  Industry  --  Computer  Abuses,"  [30] 
reviewed  sosm  of  the  oujor  issues  and  problems,  and  it  included  the  three  1976 
GAO  studies  cited  above. 
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NATIONAL  LEVEL  INTEREST 


GAO  REPORTS: 


•  “IMPROVEMENTS  NEEOEO  IN  MANAGING  AUTOMATED  DECISIONMAKING 
BY  COMPUTERS  THROUGHOUT  THE  FEDERAL  GOVERNMENT”  (APR  76) 

•  “COMPUTER-RELATED  CRIMES  IN  FEDERAL  PROGRAMS"  (APR  76) 

•  "MANAGERS  NEED  TO  PROVIDE  BETTER  PROTECTION  FOR  FEDERAL  AUTOMATIC 
DATA  PROCESSING  FACILITIES"  (MAY  76) 


PRESII 

GAO  R 


SENATE  COMMITTEE  ON  GOVERNMENT  OPERATIONS: 

•  “COMPUTER  A6USES--PR0BLEMS  ASSOCIATED  WITH  COMPUTER  TECHNOLOGY 
f  IN  FEDERAL  PROGRAMS  &  PRIVATE  INDUSTRY"  (JUN  76) 

r*  "COMPUTER  SECURITY  IN  FEDERAL  PROGRAMS"  (FEB  77) 


•  "SECURITY  OF  FEDERAL  AUTOMATED  INFORMATION  SYSTEMS," 
TRANSMITTAL  NO.  1  TO  0M8  CIRCULAR  NO.  A-71 

^  DRAFT  FOR  COORDINATION  (SEP  77} 

B  FINAL  ISSUANCE  (JUL  78) 


PRESIDENT:  INITIATIVE  TO  ATTACK  FRAUD  &  WASTE 


•  000  STEERING  GROUP  ON  OVERSIGHT  OF  DEFENSE  ACTIVITIES 

SUBCOMMITTEE  ON  COMPUTER  FRAUD 

lAO  REPORTS: 

•  "AUTOMATED  SYSTEMS  SECURITY-FEDERAL  AGENCIES  SHOULD  STRENGTHEN 
SAFEGUARDS  OVER  PERSONAL  AND  OTHER  SENSITIVE  DATA"  (JAN  79) 

•  GAO  LETTER  TO  SECOEF  (MAR  79) 


fifon  6 
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A  1977  follow-up  report  (31]  by  the  staff  included  recommendations  that  the 
Office  of  Management  and  Budget  (0MB)  direct  Federal  agencies  to  put  into 
effect  appropriate  computer  security  controls  and  safeguards  and  that  Federal 
agencies  improve  coordination  of  computer  resource  protection  efforts,  develop 
additional  computer  security  standards  and  establish  personnel  security 
policies.  (As  noted  above,  0MB  has  initiated  a  computer  security  program  in 
keeping  with  these  recomnendations  and  the  statutory  requirements  of  the 
Privacy  Act  of  1974). 

Based  partly  on  the  foregoing.  Senator  Ribicoff  also  introduced  the 
"Federal  Computer  Systems  Protection  Act  of  1977",  S.  1766.  With  no  final 
action  in  the  95th  Congress,  the  "Federal  Computer  Systems  Protection  Act  of 
1979"  (S.  240;  M.R.  6196  in  the  House)  was  introduced  by  Senator  Ribicoff.  The 
Bill  in  essence  would  make  it  a  crime  to  use  or  attempt  to  use  a  computer  with 
intent  to  defraud  or  obtain  property  falsely  and  to  embezzle  or  steal  property. 
On  Nov.  6,  1979,  the  Senate  Judiciary  Subcommittee  on  Criminal  Laws  and  Proce¬ 
dures  referred  an  amended  version  of  the  Bill  to  the  full  Committee  for 
consideration. 

More  recently,  the  GAO  initiated  a  Government-wide  survey  of  ADP  System 
Backup  Planning  in  October  1979  (e.g.,  USGAO  letter  of  September  19,  1979,  to 
Secretary  of  Defense  Brown) ,  keyed  among  other  things  to  implementation  of  the 
relevant  provision  in  TM  #1  to  0MB  Circular  A-71. 

Office  of  Management  and  Budget,  Executive  Office  of  the  President 

0MB  has  formally  promulgated  omnibus,  comprehensive  computer  security 
requirements  for  Federal  government  data  and  applications  processed  by  govern- 
oient  or  contractor  computer  systems  in  July  1978  [7].  The  promulgating  docu¬ 
ment  called  for  each  Executive  Branch  department  and  agency  to  provide  OHB 
with  an  impleowntation  plan.  To  oversee  program  implementation  and  specific¬ 
ally  review  department/agency  implementation  plans,  OMB  initially  established 
an  ad  hoc  team  in  December  1978.  Due  to  the  wide  variance  in  the  nature  and 
organization  of  department/agency  implementation  plans,  the  team  developed  the 
OMB  checklist  for  purposes  of  more  consistent  comparative  evaluation,  conclud¬ 
ing  this  effort  in  early  1979.  A  second  ad  hoc  team  then  used  the  checklist  to 
review  implementation  plans  during  the  approximate  period  April  through  August 
1979,  completing  the  preliminary  review.  The  OMB  "Agency  Computer  Security 
Program  Checklist"  is  appended  as  Appendix  F,  along  with  an  OMB-generated  list 
of  policies  and  other  computer  security  references.  Initial  OMB-identified 
plan  deficiences  were  communicated  to  departments  and  agencies,  primarily  on 
an  inforaial  basis. 

OMB  intends  to  continuously  and  actively  monitor  Executive  Branch  depart¬ 
ment  and  agency  implementation  of  TMl  to  OMB  circular  A-71  through  the  following 
vehicles:  (1)  through  review  of  agency  budget  submissions,  where  ADP  security 
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is  to  be  a  specific  item  of  concern  during  the  course  of  the  budget  process*; 
(2)  through  ongoing  0MB  monitorship  of  Privacy  Act  implementation;  (3)  and 
through  the  reports  clearance  process  (e.g.  the  Federal  Reports  Act)  wherein 
unclassifiea,  sensitive  information  within  the  scope  of  TMl  can  be  identified. 

Information  Security  Oversight  Office 

The  Information  Security  Oversight  Office  (ISOO)  was  established  by 
Executive  Order  12065  to  actively  oversee  the  information  security  program 
established  by  that  Executive  Order.  As  such,  it  replaced  the  Interagency 
Classification  Review  Committee  (ICilC)  established  by  the  preceding  Executive 
Order  11652  and  is  to  be  viewed  as  an  attempt  to  incorporate  a  more  viable 
mechanism  to  ensure  that  Executive  Branch  agencies  were  effectively  imple¬ 
menting  the  program  (a 'problem  addressed,  for  example,  in  a  GAO  report  of 
March  9,  1979,  entitled  "Improved  Executive  Branch  Oversight  Needed  for  the 
Government's  National  Security  Information  Classification  Program”).  Under  EO 
12065,  the  ISOO  is  required  to  monitor  the  program  of  any  Executive  Branch 
agency  that  handles  classified  national  security  information  (in  contrast  to 
the  ICRC's  monitoring  of  only  those  37  agencies  then  having  original  classi¬ 
fication  authority) ,  so  that  the  ISOO  must  now  monitor  approximately  100 
agencies  and  major  components.  Also  in  response  to  other  ICRC  problems 
(placement  and  lack  of  independent  stature),  the  ISOO  was  located  within  the 
General  Services  Administration  for  administrative  purposes,  but  takes  it 
policy  direction  from  the  National  Security  Council.  During  the  transition 
between  the  two  Executive  Orders,  the  former  ICRC  Executive  Director  became 
the  Acting  ISOO  Director  and  the  ICRC  staff  of  eight  formed  the  nucleus  of  the 
new  ISOO.  By  August  1979,  a  permanent  Director  had  been  appointed  and  the 
ISOO  staff  reached  eleven.  Since  then,  five  program  analysts  joined  the 
staff.  This  staff  augmentation  will  allow  the  ISOO  to  conduct  in-depth  studies 
of  various  aspects  of  the  security  field.  Included  in  these  studies  will  be 
an  examination  of  the  use  of  ADP  systems  in  the  information  security  field. 

It  is  anticipated  that  the  initial  phases  of  this  study  will  be  completed  in 
Fiscal  Year  1981.  In  its  first  annual  report  to  the  President,  the  ISOO 
indicated  that  they  conducted  123  inspections  for  which  a  formal  report  was 
written  [32].  These  covered  52  agencies  plus  25  major  components  and  25  staff 
offices  of  those  agencies,  as  well  as  three  inspections  of  field  activities 
outside  the  Washington  metropolitan  area.  The  ISOO  staff  also  conducted  18 
follow-up  inspections.  In  carrying  out  its  oversight  role,  the  ISOO  also 
reviews  the  implementing  regulations  of  all  monitoring  agencies  and  requires 
such  changes  as  may  be  necessary  to  achieve  compliance  with  the  provisions  of 
Executive  Order  12065  and  its  implementing  ISOO  Directive. 


*Subcoanittee  members  note  that  there  is  no  current  mechanism  in  agency  budget 
submissions  to  identify' expenditures  other  than  research  &  development  (R&D) 
efforts  being  conducted  by  agency  computer  security  R&D  elements  as  such. 
Accordingly,  this  mechanism  is  less  effective  in  potential  than  it  appears  at 
face  value  since  other  ADP  security-related  R&D  and  ADP  security  operations  and 
maintenance  funding  would  not  be  identified.  Furthermore,  survey  findings 
show  this  item  to  have  the  least  frequency  of  positive  responses  in  policy 
documents  reviewed  (c  f.,  p.  8). 
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Inspector  General/Internal  Audit 

Another  set  of  potential  though  general  program  oversight  mechanisms  lies 
in  the  Congressional  establishment  of  additional  internal  investigative  func¬ 
tions  in  Executive  Branch  agencies  and  departments.  Legislation  enacted  in 
the  94th  and  95th  Congresses  provided  for  the  creation  of  inspector  general 
offices  in  most  Federal  departments  and  agencies  (i.e.,  P.L.  94-505  for  HEW; 

P.L.  94-452  for  21  other  Federal  departments  and  agencies  and  P.L.  95-1  for 
DOE).  Such  an  entity  for  the  Defense  Department  is  still  under  active  con¬ 
sideration. 

Programs  to  Combat  Fraud  &  Waste  in  the  Executive  Branch 

The  President's  initiative  to  attack  fraud  and  waste  in  the  Federal 
Government  also  served  to  focus  attention  on  computer  security  as  well  as  the 
internal  audit,  inspection  and  investigative  functions.  In  Defense,  for 
example,  a  high  level  Steering  Group  was  formed  in  1978  to  respond  to  the 
President's  initiative  and  to  improve  the  oversight  of  Defense  activities. 
Noteworthy  is  the  fact  that  the  initial  Defense  report  to  the  President  [33] 
identified  computer  fraud  as  an  important  facet  of  the  overall  program  as  well 
as  summarizing  DoD  Component  ADP  security  programs  and  Defense's  Computer 
Security  Initiative  Program. 

Under  the  Steering  Group,  a  computer  fraud  subcommittee  was  formed  under 
the  Under  Secretary  of  the  Air  Force.  Its  report  to  the  Steering  Group  in  May 
1979  [34]  specifically  recommended  that  computer  security  technology  being 
developed  within  Defense  to  protect  classified  information  should  be  applied 
to  computer  fraud,  with  Defense  taking  a  lead  in  this  application.  To  parallel 
the  development  of  policy  and  procedures  for  limiting  computer  fraud,  recom¬ 
mendations  were  made  to  provide  a  stable  level  of  funding  for  DoD  Computer 
Security  Initiative  Program  [44,45]  technology  efforts  under  the  Assistant 
Secretary  of  Defense  (Communications,  Command,  Control  &  Intelligence),  based 
upon  the  belief  that  the  computer  technology  being  developed  to  protect  clas¬ 
sified  information  would  be  applicable  to  combatting  fraud  (e.g.,  the  methodo¬ 
logies  for  designing  and  verifying  that  internal  comrmter  system  controls  are 
effective).  The  Steering  Group  accepted  the  recommendations  and  the  identified 
initial  funding  was  allocated,  however,  out-year  funding  has  not  been  confirmed. 

Information  on  other  department/ agency  programs  pursuant  to  the  President's 
initiative  was  not  obtained. 

It  is  noted  that  should  some  version  of  the  proposed  "Federal  Computer 
Systems  Protection  Act"  be  enacted,  that  would  in  all  probability  serve  to 
significantly  reinforce  pursuit  of  this  initiative  within  the  Executive  Branch. 


GAO  Follow-up  -- 


Recent  Reports  and  Activities.  In  1977,  GAO  surveyed  selected  agencies  due 
to  the  high  level  of  congressional  interest  in  Federal  information  policies. 
This  review  included  10  civil'  agencies,  but  excluded  the  area  of  national 
security  information  in  Defense  agencies.  Particular  attention  was  given  to 
agencies'  efforts  to  organize  and  implement  broad  programs  of  data  security 
in  compliance  with  0MB  Directives  and  related  computer  security  guidelines 
published  by  the  National  Bureau  of  Standard  (Appendix  A) . 

A  GAO  report  reflected  the  results  of  the  survey,  and  it  is  entitled, 
"Automated  Systems  Security  -  Federal  Agencies  Should  Strengthen  Safeguards 
Over  Personal  and  Other  Sensitive  Data"  [35],  dated  January  3,  1979.  The  GAO 
report  indicated  that  all  agencies  reviewed  had  some  elements  of  a  coaiputer 
security  program  in  varying  stages  of  existence,  however,  they  generally 
lacked  the  management  support  needed  to  be  truly  comprehensive.  With  specific 
reference  to  0MB  Circular  A-71,  TM  1,  GAO  concluded  that  since  the  document  is 
both  directive  and  quite  comprehensive,  it  sets  an  appropriate  framework  for 
agencies'  initiatives  to  correct  computer  security  problems.  It  recommended 
to  0MB  concern  for  a  critical  need  for  0MB  follow-up  on  the  Circular's  require¬ 
ment  that  agencies  prepare  and  submit  plans  for  compliance. 

Highlighted  recommendations  to  the  heads  of  Federal  departments  and 
agencies  to  improve  computer  security  included  the  following: 

--  Computer  security  programs  should'  be  comprehensive  and  include 
plans,  policies  and  procedures  clearly  establishing  organizational  responsi¬ 
bilities  in  writing. 

—  A  computer  security  administration  function  should  be  established 
with  independence  from  computer  operations  and  should  report  directly  to  or 
through  a  principal  official  who  reports  directly  to  the  head  of  the  organi¬ 
zation. 


—  Programs  should  provide  for  feedback  to  management,  both  in  routine 
monitoring/ reporting  and  in  independent  internal  audit. 

—  Risk  management  should  be  provided  for,  on  a  total  data  systems 
perspective. 

--  Security  planning  should  anticipate  needs  for  training,  especially 
in  risk  management. 

The  report  cited  above  excluded  Defense  Components,  deferring  the  latter 
due  to  known,  on-going  internal  audits.  In  a  GAO  letter  report  to  the  Secre¬ 
tary  of  Defense  in  March,  1979,  (36]  GAO  noted  the  foregoing,  stated  that  GAO 
had  subsequently  identified  and  analyzed  106  computer  security-oriented  audits 
related  to  over  270  facilities  and/or  systems  and  also  reviewed  Department  of 
Defense  and  components'  computer  security  programs  and  guidelines.  GAO  stated 
that  this  review  demonstrated  that  the  Department  of  Defense  and  its  Compo¬ 
nents  have  experienced  difficulties  in  each  of  the  broad  areas  discussed  in 
the  Jan  1979  report,  cited  above. 
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Partial  Policy/Program  Integration 

Many  of  the  diverse  activities  and  fflechanisns  cited  above  are  (or  can  be) 
effectively  integrated,  as  suggested  by  the  0MB  comments  on  the  1979  GAO 
report  cited  above  [35].  0MB  specifically  advised  that  the  GAO  information 
and  reconsBendations  would  be  used  in  their  own  assessments  of  Federal  agencies' 
plans  to  comply  with  Circular  A-71  and  other  requirements.  0MB  further  cited  a 
high  priority  on  improving  agencies'  security  programs,  noted  it  has  organized 
a  task  force  to  review  agencies'  plans,  and  that  this  effort  is  coupled  with 
noted  broader  concerns  for  improving  controls  over  fraud  and  waste.  Further 
noted  by  0MB  was  the  indication  that  agencies '  inspector  general  functions 
will  also  focus  on  correcting  these  matters  in  recognition  of  their  importance 
as  key  responsibilities  of  agency  and  department  heads. 

1980  GAO  Evaluation 

During  1980,  GAO  has  been  performing  a  followup  evaluation  of  implementa¬ 
tion  of  the  recommendations  from  its  January  1979  report  cited  above.  This  is 
in  response  to  a  request  from  the  Chairman,  Subcoimnittee  on  Government  Informa¬ 
tion  and  Individual  Rights,  House  of  Representatives  Committee  on  Government 
Operations.  The  report  will  focus  on: 

1.  0MB  and  central  agency  roles  previously  discussed  (pp.  12-14, 
above);  and, 

2.  Department/agency  progress  in  implementing  the  security  plans 
required  by  TM  1 . 

It  is  expected  that  the  results  of  the  review  will  be  completed  by 
November  30,  1980. 

An  interim  letter  report  on  this  evaluation  [46]  noted  the  announced  0MB 
reorganization  of  its  Information  Systems  Policy  Division  and  Regulatory  Policy 
and  Management  Division  into  the  Office  of  Regulatory  and  Information  Policy. 

The  report  indicates  the  new  office  will  have  three  divisions:  Regulatory 
Policy,  Reports  Management  and  Information  Policy.  The  new  Office  will  include 
a  "desk  officer"  responsible  for  monitoring  the  implementation  of  regulatory, 
reports  management,  and  information  management  activities  in  each  assigned 
department  or  agency.  Relevant  to  computer  security,  the  report  further  states: 

0MB  advised  us  that  many  of  the  desk  officers  know  little 
about  automatic  data  processing  in  general  or  automated 
security  in  particular.  0MB,  realizing  that  these  officers 
need  training  and  help  from  people  knowledgeable  about 
automated  security,  plans  to  conduct  such  training  during 
May  and  June  1980.  Effective  monitoring  by  trained  0MB  staff 
is  necessary  if  the  intent  of  the  memorandum — security  of 
automated  information  systems— is  to  be  met. 
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V.  POLICY  IMPACTS  —  AN  AGENCY  PERSPECTIVE 


There  are  additional  considerations  from  a  policy  perspective,  beyond 
merely  the  presence  or  absence  of  policy  as  such,  or  the  presence  or  absence 
of  program  oversight.  Some  of  these  will  be  briefly  explored  by  viewing  the 
context  and  flow  of  computer  security  policies  as  they  impact  a  large  Execu¬ 
tive  Branch  organization,  the  Department  of  Defense. 

The  organization  is  by  most  criteria  large  --  in  terms  of  number  of 
personnel,  budget  size,  and  organizational  complexity  as  historically  evolved. 
Most  significant  here,  however,  is  the  magnitude  of  use  of  computer  systems  in 
support  of  departmental  mission  accomplishment,  as  a  key  arm  of  the  national 
security  establishment.  As  noted  previously,  just  in  terms  of  general  pur¬ 
pose,  commercially  available  ADP  systems  alone,  DoD  accounts  for  about  50%  of 
the  GSA  inventory.  In  addition,  DoD  owns  and/or  operates  literally  uncounted 
numbers  of  special  purpose  computer  systems  (e.g.,  computers  embedded  in 
weapons  and  other  systems).  Moreover,  the  DoD  has  responsibility,  derived 
from  an  Executive  Order  and  executive  agreements  with  other  Executive  Branch 
Agencies  and  Departments,  to  assume  security  program  administration  on  behalf 
of  sixteen  such  departments  and  agencies  for  contractors  handling  classified 
lutional  security  information. 

A  point  of  the  example  is  to  illustrate  the  manner  in  which  computer 
security  policies  and  associated  requirements  converge  on  an  Executive  Branch 
organization  and  a  fashion  in  which  they  can  be  integrated  (or  not  be  integated) 
The  overall  situation  is  one  which  carries  the  potential  for  the  generation  of 
confusion,  unwarranted  duplication  of  effort,  and  policy  conflict.  The  dupli¬ 
cation  concern  is  particularly  critical  inasmuch  as  computer  security  is  a 
relatively  new  area  requiring  attention,  to  include  resources.  And  existing 
resources  appear  to  be  quite  limited,  particularly  in  the  face  of  the  dramatic 
expansion  of  requirements  represented  by  the  scope  of  the  recently  promulgated 
0MB  requirements. 

Current  Policies  and  Sources  of  Requirements 

Classified  Information.  DoD  programs  for  computer  security  are  in  imple¬ 
mentation  of  and  must  be  consistent  with  requirements  imposed  by  higher  author¬ 
ities.  Beginning  with  the  classified  arena,  the  most  pertinent  generic  authority 
imposing  security  responsibilities  upon  the  Secretary  of  Defense  is  Executive 
Order  12065  [10]  as  amplified  by  Information  Security  Oversight  Office  Directive 
Number  1  [37]  (Figure  7). 

Particularly  relevant  to  implementation  of  the  order  in  the  AOP  environ¬ 
ment  is  the  information  classification  scheme;  namely,  that  national  security 
information  or  material  shall  be  classified  in  one  of  three  categories,  TOP 
SECRET,  SECRET,  or  CONFIDENTIAL  and  no  other  categories  shall  be  used  except 
as  expressly  provided  by  statute. 

While  the  Executive  Order  focused  primarily  on  the  classification  and 
declassification  of  national  security  material  and  improving  the  balance 
between  the  two  competing  principles  of  informing  the  public  and  preserving 
confidentiality,  it  also  contains  other  pertinent,  broad  and  generic  security 
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policy  requirements,  most  of  which  present  problematic  Judgments  when  applied 
to  the  ASP  arena. 

As  these  requirements  are  implemented  by  formal  issuances  down  the  indi¬ 
cated  organizational  chains  of  command,  they  are  elaborated  upon  and  generally 
specified  as  appropriate  to  more  limited  organizations  and  environments. 

There  are  also  built-in  feedback  or  oversight  mechanisms  for  the  evaluation  of 
lower- level  implementations.  For  example,  in  OSD,  all  DoS  Component  implemen- 
tating  documents  must  be  reviewed  and  formally  certified  as  being  consistent 
with  the  basic  DoD  issuance. 

The  E.O.  does  not  address  computers  per  se.  DoS’s  primacy  implementa¬ 
tion,  the  Information  Security  Program  Regulation,  DoD  5200.1-R(4],  does  not 
either,  except  for  paragraphs  dealing  with  various  media  that  may  be  associated 
with  computer  processing  (e.g.,  punched  cards,  printouts,  micro-forms).  DoD 
Directive  5200.28  (1]  in  essence  represents  DoD's  implementation  of  the  E.O. 
insofar  as  the  relatively  unique  problems  posed  by  shared  computer  systems  are 
concerned.  The  relationship  between  the  two  cannot  be  understated  because 
much  of  the  overall  security  guidance  to  be  applied  to  the  AOP  environment  is 
in  5200. 1-R  and  is  simple  not  duplicated  in  5200.28.  Therefore,  in  imple¬ 
menting  policy,  reference  to  both  5200.28  and  5200. 1-R  is  required. 

Defense's  ADP  security  program  policies  impact  not  only  the  DoD  Components 
but  also  those  ADP  systems  processing  classified  information  among  the  11,000 
contractors  in  the  Defense  Industrial  Security  Program  (Figure  8) .  As  men¬ 
tioned,  this  Program  is  administered  by  DoD  on  behalf  of  sixteen  other  Execu¬ 
tive  Branch  Departments  and  Agencies,  in  addition  to  the  DoD  Components,  and 
currently  identified  industrial  ADP  systems  (over  2,000)  represent  a  significant 
number  of  the  total  ADP  systems  subject  to  DoD  ADP  security  policies. 

Special  Access  Programs.  So  far  the  flow  of  implementation  of  policy  is 
fairly  straight  forward.  But  there  is  always  an  "other,"  and  as  shown,  there 
are  basically  four  sets  of  "Special  Access  Programs”  that  impact  the  Informa¬ 
tion  Security  Program  (Figure  9); 

NATO,  where  ADP  security  procedures  are  based  on  International  Treaty 
Requirements ; 

Requirements  concerning  access  to  and  dissemination  of  Restricted 
Data  and  Critical  Nuclear  Weapon  Design  Information; 

Special  Access  Programs  for  Foreign  Intelligence  or  other  informa¬ 
tion  under  the  cognizance  of  the  Director  of  Central  Intelligence  or  the 
National  Communications  Security  Committee;  and 

DoD  "Special  Access  Programs"  as  such. 

DoD  policy  in  this  area  is  to  utilize  the  standard  classification  cate¬ 
gories  to  limit  access  to  classified  information  on  a  "need-to-know"  basis  to 
personnel  who  have  been  determined  to  be  trustworthy  pursuant  to  the  E.O.  and 
ISOO  Directive  so  that  there  will  be  no  need  to  resort  to  formal  special 
Access  Programs  (e.g.,  requiring  extraordinary  procedures  and  controls,  such  as 
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formal  access  determination,  special  briefings,  reporting  procedures,  and 
recorded  formal  access  lists.)  Where  such  programs  do  exist,  however,  they 
are  signficant  potential  sources  of  additional  security  requirements  in  various 
areas  which  must  be  considered  in  both  system  security  planning  and  in  policy 
development,  integration  and  implementation.  Noted  as  particularly  significant 
is  the  necessity  at  the  Federal  department/ agency  level  to  effectively  integrate 
diverse  classified  information  protection  policies  from  difference  sources, 
and  then  further  effectively  integrate  that  result  with  emerging  computer 
system  protection  requirements  from  newer  sources,  such  as  the  following. 

Privacy.  Implementation  of  the  Privacy  Act  of  1974  (Public  Law  No. 

93-579,  U.S.C.  SS2a)  was  implemented  through  a  DoD  Directive  and  concurrent 
establishment  of  a  DoD  Privacy  Board  [38],  (Figure  10).  With  regard  to  com¬ 
puter  security  as  such,  current  DoD  policy  consists  of  rather  specific  interim 
guidelines  [39].  These  will  be  superceded  by  a  comprehensive  DoD  Regulation 
now  under  development  to  establish  uniform  Defense  policy  concerning  interpre¬ 
tation  and  implementation  of  the  Privacy  Act.  One  of  its  chapters  will  con¬ 
tain  specific  policies  for  "Safeguarding  Personal  Information  in  ADP  Systems." 

TM  1  to  0MB  A-71  (Figure  11).  DoD's  approach  to  implementing  these 
responsibilities  specifically  seeks  to  comprehensively  integrate  various 
computer  security  programs.  The  approach  being  pursued  is  one  of  essentially 
applying  to  the  A-71  requirements  the  ADP  security  policy  framework  that  has 
evolved  in  the  classified  arena  over  approximately  the  past  decade.  Essentially 
OoO  envisions  first  categorization  of  data  and  applications  on  the  basis  of 
criteria  analogous  to  those  that  exist  for  classified  national  security  informa¬ 
tion.  Secondly,  ADP  systems  are  primarily  categorized  in  terms  of  the  data/ 
applications  processed,  and  then  specific  security  requirements  are  directly 
derived,  primarily  on  a  system  basis.  Incorporated  is  the  multi-disciplinary, 
systematic  approach  to  implementation  that  characterizes  the  classified  arena. 

A  third  essential  ingredient  is  utilization  of  the  currently  authorized  system 
security  modes  (Figure  12). 

The  data  and  application  sensitivity  categories  that  have  been  proposed 
are  amplified  in  Appendix  H. 

This  conceptual  scheme  was  included  in  Che  DoD  plan  submitted  to  0MB  and 
concurrently  in  the  memorandum  promulgating  the  plan  within  Defense,  appro¬ 
priately  entitled,  "A  Comprehensive  Information  Security  Program"  [40].  The 
plan  further  notes  that,  notwithstanding  existing  policies  that  satisfy  some 
TM-1  requirements,  new  or  modifed  guidance  is  required.  Pending  development 
of  such  guidance,  the  TM-1  policies  should  be  considered  to  have  full  force 
and  effect,  as  amplified  in  the  memorandum. 

Policy  &  Program  Oversight 

Classified  Information.  Already  mentioned  was  the  fact  that  DoD  Com¬ 
ponent  implementations  are  reviewed  against  basic  DoO  policy,  and  each  Component 
implementing  issuance  (Figure  13)  must  be  reviewed  and  certified  in  writing  as 
being  consistent  with  the  basic  policy  issuance,  or  corrective  action  must  be 
taken. 
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Conplementary  on~3ite  "information  security  oversight  visits”  are  under¬ 
taken  by  the  Office  of  the  Secretary  of  Defense  (OSD)  to  assess  the  field 
implementation  of  policy.  Some  of  these  on-site  oversight  visits  have 
specifically  addressed  computer  security  matters,  both  among  the  DoD  Component 
and  asMng  contractor  facilities  included  within  the  Industrial  Security  Pro¬ 
gram.  Additional  oversight'  visits  more  intensely  focusing  on  computer  secu¬ 
rity  as  such  are  specifically  programmed  for  the  current  and  forthcoming 
Fiscal  Years. 

Additional  oversight  activities  are  conducted  under  the  auspices  of 
various  special  access  programs  included  within  the  DoD  Information  Security 
Program.  For  example,  the  Defense  Intelligence  Agency  conducts  security 
inspections  of  other  DoD  Components'  facilities  for  compliance  with  policy 
where  certain  categories  of  "sensitive  compartmented  information"  are  being 
handled,  including  contractor  facilities,  and  the  NATO  Office  of  Security 
annually  conducts  inspections  of  15  NATO  member  nations'  security  arrangements 
for  the  protection  of  NATO  classified  information. 

Further  oversight  is  provided  through  the  medium  of  internal  audit,  for 
example,  Defense  Audit  Service  (DAS)  evaluations  and  reports  and  Inspector 
General  reports. 

Privacy.  Component  implementations  of  DoD  policy  implementing  the 
requirements  of  the  Privacy  Act  are  likewise  subject  to  formal  policy  certifi¬ 
cation  by  OSD. 

Additionally,  on-site  oversight  visits  to  selected  ADP  installations  were 
also  undertaken  by  OSD  in  conjunction  with  this  program. 

Lastly,  a  multitude  of  internal  audits  were  undertaken  concerning  privacy 
and  other  computer  security  considerations  at  selected  activities  within  the 
Defense  Agencies  and  Military  Departments  (e.g.,  DAS  "Summary  Report  on  the 
Audit  of  ADP  Systems  Security  and  Privacy  at  Selected  Defense  Data  Processing 
Installations,"  [41]  —  Appendix  G  lists  activities  included  in  the  audit 
reports  and  specific  audit  reports  issued) . 

TM  1  to  0MB  A-71.  Although  no  specifics  are  now  in  place  concerning 
oversight  of  implementation  of  this  program  (which  is  currently  being  devel¬ 
oped  within  Defense),  it  is  probable  that  at  least  the  policy  certification 
and  internal  audit  functions  will  provide  policy  and  program  oversight  in  the 
department. 

Suatary  Cosssents 

The  foregoing  suggests  one  problem  for  a  Federal  department  or  agency 
implementing  computer  security  requirements  Imposed  by  diverse  higher  echelon 
authorities  --  integrating  these  requirements  into  a  relatively  homogeneous, 
consistent  and  coherent  internal  policy  framework  (Figure  14).  In  the  Defense 
Departawnt  example,  this  was  essentially  accomplished  within  the  classified 
arena  by  integrating  minimum  classified  information  protection  requirements 
with  those  additional  and  often  different  requirements  for  classified  "Special 
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Access  Program"  iaformatioa  comprehensively-  The  approach  appears  to  work 
well.* 

By  contrast,  there  has  been  little  linkage  between  classified  computer 
security  policy  and  policy  stemming  from  departmental  implementation  of 
requirements  from  the  Privacy  Act  of  1974  and  0MB  Circular  A-108. 

The  subsequent  promulgation  of  TM  1  to  0MB  A-71  serves  to  integrate  com¬ 
puter  security  policies  and  progams,  to  include  field  implementation. 

The  general  point,  beyond  the  Defense  example,  is  that  explicit  attention 
must  be  given  to  the  impact  at  the  department/ agency  level  of  higher  level 
actions,  particularly  the  derivative  and  cascading  effects  of  any  policy 
confusion,  conflict,  inconsistencies  and  ambiguities  from  the  top  down  to  the 
bottom  line  --  the  ultimate  implementation  of  policies  in  field  data  processing 
installations . 


*  Even  this  is  not  without  potential  problems  however.  For  example,  one 
Special  Access  Program  for  intelligence  includes  in  its  scope  all  intelligence, 
not  just  "compartmented"  or  otherwise  "Special  Access-type"  intelligence.  For 
the  non-compartmented  intelligence  handled  within  OoO,  the  OCl's  policy  may  in 
the  future  directly  conflict  with  those  of  the  Secretary  of  Defense  (imposed 
for  classified  information  per  se  by  E.O.  12065  (10])  if  the  respective  policies, 
where  they  intersect,  come  to  differ. 


VI.  SUMMARY,  CONCLUSIONS  &  INFERENCES 


Federal  Departmeat/Ageacy  Lavel 

Of  the  fifteen  Executive  Branch  departments  and  agencies  surveyed, 
representing  over  88%  of  the  Federal  computer  systems  reflected  in  the  GSA 
inventory,  all  had  promulgated  cosiputer  security  policies  in  effect.  These 
varied,  however,  in  scope,  applicability  and  approach. 

Specifically  revealed  and  reviewed  were  32  documents  meeting  the  criteria 
set  forth  herein  as  cosiputer  security  policies,  and  these  provided  essentially 
27  policy  document  sets  (1,316  pages)  associated  with  the  fifteen  agencies. 

The  policies  involved  differences  in  overall  approach  (e.g.,  combination  or 
separation  of  policies  stessning  from  different  authoritative  sources) ,  scope 
(e.g.,  classified  information,  non-classified  information,  personal  informa¬ 
tion)  and  applicability  (e.g.,  include  internal  cosiponents  and/or  contractors). 

Primary  authoritative  bases  on  the  basis  of  frequency  cited  among  the  27 
policy  sets  were: 
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Derived  from  the  foregoing,  the  survey  clearly  reflected: 

o  Omnibus  Policy.  In  place,  comprehensive  computer  security  policy 
promulgated  by  the  Office  of  Management  and  Budget,  Executive  Office  of  the 
President  [7]. 

o  This  policy  explicity  includes: 

—  all  Federal  data  and  applications  processed  by  computer  systems 

—  personal,  proprietary  and  other  sensitive  data  not  subject  to 
national  security  regulations  as  well  as  national  security  data 

—  such  data/applications  processed  by  Federal  computer  systems  as 
well  as  by  other  systems  on  liehalf  of  Federal  departments  and  agencies 


27 


o  Pursuant  to  0MB  central  agency  tasking  under  this  program  policy: 

—  0PM  has  issued  personnel  security  requirements  and  guidelines 
now  in  the  Federal  Personnel  Manual  (22,231; 

•-  GSA  has  amended  the  Federal  Property  Management  Regulations 
(FPMR  amendment  F-42)  to  add  a  new  section  for  Che  protection  of  ADP  and 
telecommunications  systems  and  a  subpart  to  provide  guidelines  on  environ¬ 
mental  and  physical  security  of  ADP  facilities  (25); 

—  GSA  has  amended  the  Federal  Procurement  Regulations  (FPR  Amend- 
Mnt  210)  to  require  that  agencies'  cooiputer  security  requirements  be  included 
and  certified  in  agency  procurement  requests  and  that  acquisition  specifica¬ 
tions  include  certified  Government  computer  security  requirements  in  connection 
with  solicitations,  contracts,  and  contract  administration  (26);  and, 

—  National  Bureau  of  Standards,  Department  of  Commerce,  has 
issued  numerous  information  and  guidance  publications  on  computer  security 
(6]  as  well  as  maintaining  an  ongoing  program  for  standards  development. 

o  Other  Policies.  There  are  also  documented  herein  a  number  of  other, 
earlier  Executive  Branch-level  computer  security  policies  of  narrower  scope 
and  applicability,  including: 

--  Department/agency-generated  policies  in  implementation  of  generic 
classified  information  safeguarding  requirements  imposed  by  Executive  Order 
12065 


Special  Access  Program  classified  information,  such  as: 

-  NATO  information 

-  Intelligence  information 

-  Restricted  Data  and  associated  information 


—  Policies  associated  with  implementation  of  the  Privacy  Act  of 
1974  in  the  ADP  arena  and  0MB  Circular  A- 108. 

The  interrelationships  of  these  policies  are  suggested  by  the  diagrams  at 
Figures  IS  and  16.  Figure  IS  shows  these  as  separately  promulgated  from  the 
national  level;  Figure  16  relates  them  in  a  Venn  context  wherein  the  0MB  policy 
includes  all  Federal  data/applications  processed  by  computers. 

Oversight  Results 


However,  audits .and  associated  reviews  (e.g.,  [27],  (28|  ,  (29),  (30], 
(31],  (35],  and  (41]}  have  found  significant  problems  with  the  field  implemen¬ 
tation  of  computer  security  programs. 

Most  recent  is  the  January  1979  GAO  report  which  concluded  that  "programs 
fell  short  of  being  comprehensive  and  top  management  support  was  lacking” 


(Underlining  denotes  docunents  neetlng  the  criteria  herein 
for  conputer  security  policies) 
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[33]  (emphasis  added).  The  report  aoted  that  the  review  was  completed  prior 
to  the  issuaace  of  TM  1  to  OHB  Circular  A-71,  but  noted  that  the  document 
'*  —  requires  action  by  top  agency  managers  which  could  contribute  greatly  to 
correcting  many  of  the  computer  data  security  problems  addressed  in  the  GAO 
report."  Further,  '...it  (TM  1  to  A-71)  sets  an  appropriate  framework  for 
agencies'  initiatives  to  correct  their  data  security  problems.” 

The  "Digest”  to  this  GAO  report  is  attached  for  reference  as  Appendix  I. 
Conclusions 

The  Subcommittee  considers  the  current  situation  to  suffer  significantly 
from  fragmentation  across-the-board  and  from  the  lack  of  cost  effective,  fea¬ 
sible  implementing  guidance.  The  former  particularly  is  manifest  in  the  example 
of  national  policy  flow  and  impacts  at  the  department/agency  level  (pp. 22-26). 
This  suggests  a  clear  need  for  further  efforts  to  effectively  integrate  overall 
computer  security  policies  in  a  context  that  specifically  considers  the  flow  of 
data/applications  to  be  protected,  1.  between  and  among  Federal  agencies,  and  2. 
between  Federal  agencies  and  private  sector  contractors . 

The  foregoing  in  turn,  indicates  that  a  deeper  level  of  analysis  is 
required  to  focus  on  those  aspects  of  computer  security  field  implementation 
that  ace  susceptible  to  benefit  from  national  level  attention  and  effort. 

Accordingly,  the  S'.,  committee  strongly  and  unanimously  recoomiends  attention 
be  given  to  the  following  specific  problem  areas  related  to  current  cooiputer 
security  policies  and  field  implementation  thereof: 

1.  The  nature,  magnitude  and  practical  effects  of  the  lack  of  top 
management  support  in  Federal  Departments  and  Agencies  ([35]  and  Appendix  I), 
to  specifically  include  the  need  for  the  education  and  awareness  of  top  man¬ 
agement  on  the  many  facets  of  computer  security  and  the  interrelationships  of 
cooiputer  security  with  other  programs  and  functional  activities; 

2.  Closely  interrelated  with  the  foregoing,  lack  of  resources ,  to 
include  both  research  and  development  resources  and  operational  resources, 

with  specific  attention  to  the  problem  of  trained  manpower  and  funding  stability; 

3.  Intensive  focus  on  the  problematic  nature  of  the  ha rdwa re / s o f twa re 
computer  security  subdiscipline  (e.g.,  [42],  [43],  [44],  and  [45]),  to  specifi¬ 
cally  include  the  development  of  secure  systems  technology,  security  technical 
evaluation  methodologies  and  mechanism(s) ,  and  recommended  management  and 
operational  mechanism(s)  thereof; 

4.  Manifest  requirements  for  means  of  more  effective  integration  and 
coordination  of  identified  national  policy  promlgating  activities  (see  Figures 
15  &  16  as  well  as  conflict  examples  on  pp.  13  &  25). 

5.  Generation  of  feasible  and  cost-effective  implementing  guidance  for 
various  computer  security  subdisciplines  associated  with  the  implementation  of 
overall  computer  security  policies  (in  addition  to  3.,  above,  highlighted 
examples  include  communications  security  guidance  specifically  keyed  to  computer 
systems  and  networks  and  similar  tailored  emanations  security  guidance). 
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Administration,  The  Federal  Register.  October  5,  1978. 

38.  "Personal  Privacy  and  Rights  of  Individuals  Regarding  Their  Personal 
Records,"  Department  of  Defense  Directive  5400.11,  August  4,  1975. 

39.  "Interim  Policy  on  Safeguarding  Personal  Information  in  ADP  Systems," 
Assistant  Secretary  of  Defense  (Comptroller)  memorandum  to  the  Military  Depart¬ 
ments  and  Defense  Agencies,  April  26,  1978. 

40.  "A  Coi^rehensive  Information  Security  Program,"  Assistant  Secretary  of 
Defense  (Comptroller)  multi-addressee  Memorandum,  January  30,  1980. 

41.  "Summary  Report  on  the  Audit  of  ADP  Systems  Security  and  Privacy  at 
Selected  Defense  Data  Processing  Installations,"  Report  No.  952,  Defense  Audit 
Service,  September  29,  1978. 

42.  Security  Controls  for  Computer  Systems;  Report  of  Defense  Science  Board 
Task  Force  on  Computer  Security,  published  by  the  Rand  Corporation  for  the 
0#iicc  of  the  Director  of  Defense  Research  snd  Engineering  (Rand  Report  #R-609), 
Tcbruary  11,  1970. 

43.  Stryker,  D.J.,  "Subversion  of  s  'Secure*  Operating  System,"  Naval  Research 
Laboratory,  Washington,  D.C.  20375,  NRL  Memorandum  Report  282  (June  1974). 
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44.  Proceedings  of  the  Seminar  on  the  DoD  Computer  Security  Initiative  Program. 
National  Bureau  of  Standards,  Gaithersburg,  Maryland,  July  17-18,  1979. 

45.  Proceedings  of  the  Second  Seminar  on  the  DoD  Computer  Security  Initiative 
Prograa.  National  Bureau  of  Standards,  Gaithersburg  Maryland,  January  15-17, 
1980. 


4d.  GAO  Letter  Report  B-198551,  Subject:  "Central  Agencies'  Compliance  With 
0MB  Circular  A-71,”  Transmittal  Memorandum  No.  1  (LCD-80-56-1),  April  30,  1980. 
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sXSOJWrS  aSAftCH  computer  SECURETT  policy  DCCJMEtnS 


1.  PEPAaTMEST/AGafCY  PSOMDlflATElO  THE  DOCUMElfr; 


2.  DOCUMBIT  nEITUICATIOW  (Pla^a  eosplata  qiiaatlosaaire  fAr  draft  doetnaants 
tf  thara  la  aot  ao  approaed,  publlsbad  veralon  of  tha  saiae  scope  & 
Applicability} ; 

A.  Tltla  (of  dacuoant  or  that  pArt/sactlon  dealing  with  computer  security); 


b.  RegulatloD  or  otbar  Rumber,  where  Applicable :  _ 

e.  Data  (if  revised,  enter  date  of  latest  revision  or  change ): 


d.  Check  here  only  if  docuaant  Is  an  unapproved,  unpublished  draft: 

3.  AQTBDRrrATiyE  a*SIS(SS)  FOR  POLXCr  (PlaAse  "X"  all  of  the  following  that  are 
explicitly  cited  as  authority  for  tha  docunnt;  enter  "0"  for  others  that 
are  cross  •referenced  for  separate  application): 

a.  Pertaining  to  classified  Rational  Security  Information; 

(1)  Beecutlve  Order  12065,  Tjattonai  Security  Information,"  June  26, 
1978: 

(2)  USSAR  (United  States  Security  Authority  for  RAto  Affairs) 
MesHrandvi  Ro.  1,  "Impleaentation  of  RAfO  Security  Procedure  (U)," 
17  Dec  1973,  ■«  amended  (pertaining  to  RAtO  classified  information) 

(3)  Atomic  fhiergy  Act  of  195^,  as  amended  (Public  Lav  93*^38, 
pertaining  to  "Restricted  Data"  &  Pormerly  Restricted  Data"); 

(li)  Special  access  programs  for  "IntelUgence "  (l.e.  "Foreign 
Intelligence"  and  "eountarlntelUganee"  per  EO  12036,  (8), 
below)  under  the  cognizance  of  the  Director  of  Central 
Intelligence  (e.g.  DCS)  Ro.  l/l6): 

(5)  Other  OeparCment/Agency  Special  Access  Programs  (a.g.  Dapt.  of 
Dtfanse  —"Single  Integrated  Operational  Pleo-Extremely  Sensitive 
Informetlon/SIOP-fiSI") : 

(6)  Executive  Order  10665,  "Safeguarding  Claeslfled  Inforaatlon 
Within  Industry,"  February  20,  19^0,  a#  amandad: 

(7)  Praaldantial  Directive /BSC -2A  (”PD-2b"),  l£  Rov  77; 

(8)  Esacutlve  Order  12036,  "Ublted  States  IntelUgenea  Activities," 
January  26,  1978; 


AFPBRDIZ  B 


(9)  "N*tlon«L  ConBnalcattoM  Security  Directive  (U),"  20  Jun  1979: 


b.  Pertaining  to  Dnclaealfled  Infora*tlon: 

(1)  Prlvecy  Act  of  ig?**  (PubUc  Law  93-579.  5  0.3.  C.  552«): 

•od/or; 

0MB  Circular  A-loS,  'Tiesponaibllitlca  for  tbe  MaintenaBce  of 
Records  About  Individuals  by  Federal  Agencies,"  July  1,  1975, 
se  soended  and  suppleoented: 

(2)  ‘Creasmlttal  Mtaorandum  Bo.  1  to  0MB  Circular  Bo.  A-71,  Security 
of  Autonated  Inforaatlon  Systeaa,"  July  27,  1978: 

(3)  Records  vlttataeld  from  public  disclosure  under  the  Freedoa 
of  Infomatlon  Act  (5  a.S.C.  552): 

e.  Other  General,  Authoritative  Bases: 

(1)  Prohibited  Disclosure  of  confidential  gevemnent  Inforaatlon 
(Z&  O.S.C.  1905); 

(2)  Federal  Reports  Act  -  Unlawful  disclosure  of  Information; 
controlled  release  to  other  agencies  (Vt-  O^.C.  3508): 

(3)  unlawful  personal  use  of  public  money,  property  or  records 
(18  U.S.C.  61*1); 

(**)  Robbery  of  personal  property  of  the  U.S.  (18  U.S.C.  2112): 

(5)  Injury  cr  destruction  of  U.S.  property  (18  U.S.C.  1361): 

(6)  Willful,  unlawful  eoneealment,  removal  or  nutUatlon  of  any 
record  or  other  Item  filed  with  the  U.S.  (l8  U.S.C.  2071): 

(7)  ?FMl  (Federal  Property  Nenagement  Regulation)  101-36.7, 
MMisgemcst  aod  Control  of  Computer  Rooms  and  Related  Support 
Areas,"  June  15,  1978: 

(8)  FPSB  101-35.17,  "Privacy  sod  Data  Security  for  AOP  sud 
Telecoanalcatlons  Systems,"  June  16,  1978; 

(9)  FPMi  IOI-3A,  "Emargency  Preparedness  Planning,"  June  I6,  1978: 

d.  Other  Authorities  Cited  —  Please  Identify  fully  as  in  2.,  above,  and 
attach  the  Information  to  this  q^wstlonnaire . 

ApPUCABgJTT  OF  POLICT  (Please  "X"  aU  that  apply): 

a.  Applies  to  the  departmsnt/agency  Identified  In  1.,  above,  and  Its 
components  and  facilities: 

b.  Applies  to  an  (or  moat)  department/agency  contractors  (l.e.  any 
Industrial,  educational,  coHnercial  or  other  entity  which  has  executed 
a  contract  with  the  department/agency) : 


5.  PaOTSCncW  scops  "X"  *11  »r«  l2clud*d  vlthla  the  policy  document) 

a.  iaforahtion/data 

(1)  ClMatfled  National  Security  mforaamon; 

and/or 

Uhciaaalfled  ”!ratlonal  Security  Seiated  Inf oraatlon : 

(2)  Peraonal  Infuraatlon  relating  to  Indt^lduala  ("Privacy"): 

(3)  Other  agancy/departaent  "aenaltlve  lafomation"  and  reeorda: 

h.  (1)  Aqp  ayataaa  (l.e.  "Automatic  Data  Proeeaalng  equipment,"  Including 
computera  and  auxiliary  or  aceesaorial  equipment  aueh  aa  l/o 
derlcea  and.  coaenmicatlona  equipment): 

(2)  Are«e  houalng  Asp  ayatema  or  their  componenta  (e.g.  phyalcai  arena 
containing  main  frame  or  reente  terminals): 

(3)  Computer  Programs  (l.e.  software) 

(h)  other  ADP  resources  and  supplies : 

e.  Does  the  policy  generally  contain  security  requlreamnts  pertaining 
to  the  entire  life  cycle  of  ( "X"  If  answer  la  "yes"): 

(1)  the  Atf  or  computer  systetas  concerned: 

(2)  Indl-rlduai  data/appUeatlon  systems: 

6.  COKWISH  SeCDRITr  SeBBSCXPUagS  SPSClFICAlxy  included  (Please  "X"  au 
requirement  sets  that  are  Inducted  In  the  policy  document,  to  include 
requirements  that  may  he  ewsrsted  In  a  separate  document  — •  e.g.  the 
eos^ater  security  doensent  requires  personnel  security  or  eoiammlcstlons 
security  setlona  set  forth  In  a  referenced,  separate  document): 

a.  Persooael  Security: 

h.  Physical  Security: 

e .  Cosaamicatlaas  Security: 

d.  taeoatloos  Security: 

e.  Adadnlstratlve /Procedural  Security: 

f.  Hardware /Softwere  Security: 


7. 


V 


PROGRAM  COMPONENT  ELEMENTS  (Plaasa  "X"  that  are  included  in 

essence  within  the  document) : 

a.  Assignment  o£  Responsibility: 

(1)  For  computer  security  within  the  Agency  or  Department 
(i.e.  specification  of  a  headquarters  staff  element 

as  responsible  for  policy  promulgation  and  program 
oversight) : 

(2)  For  specific  AOP  systems  or  AOP  installations  (e.g. 
Appointment  of  AOP  System  Security  Officers) : 

b.  Management  Control  Process  to  assure  that  administrative, 
physical,  technical  and  other  safeguards  are  included  in 

agency  computer  systems: 

c.  Formally  designated  approving  authority  for  the  security 
aspects  of  covered  AOP  systems : 

d.  Overall  security  specifications/requirements: 

e.  Review,  test  and/or  evaluation  required  as  basis  for  system 
approval  for  operation: 


f.  Audit  or  other  follow-up  system  or  program  security 
evaluations : 


g.  Risk  Analysis  or  Risk  Assessment  methodologies 

h.  Security  Requirements/Specifications  Applicable  to 
Procurement  (i.e.  equipment,  systems  or' related  services): 


i.  Requirements  for  Contingency  Planning: 

j .  Personnel  Screening  Requirements 


k.  Specification  of  an  authority  to  grant  waivers: 


1,  Requirement  to  specify  an  ADP  security  budget:  _ 

8.  y PROXIMATE  NUMBER  OF  COMPUTER  SYSTEMS  COVERED  BY  POLICY  (if  known, 

for  example,  through  agency  submissions  to  GSA  inventory) :  _ 

9.  WtIMBER  OF  PAGES  (single-spaced  pages  or  equivalent)  :  ___________ 

10.  QPESTIOWWAIRE  COMPLETED  BY  (Requested  for  purposes  of  follow-up  only) : 


Name 


Telephone  Number 
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GUIDANCE  FOR  QUESTIONNAIRE  COMPLETION 


General. 

Policy  documents  reviewed  for  purposes  of  this  survey  are  to 
be  only  those  documents  (or  parts  of  documents  of  larger  scope)  that 
treat  computer  security  in  a  more  or  less  complete  sense.  This 
includes  both  documents  specifically  on  computer  security  and 
essentially  complete  in  themselves  (e.g.  DoD  Directive  5200.28  and 
DCID  No.  1/16)  as  well  as  sections  or  parts  of  larger  documents 
where  the  sections  are  essentially  comprehensive  computer  security 
documents  in  themselves  (e.g.  Part  6  on  computer  security,  which  is 
a  section  of  REW's  AOP  Systems  Manual,  or  Agriculture's  "ADP  Security 
and  Privacy"  chapter  of  their  Departmental  Information  Processing 
Standards  Manual) . 

By  contrast,  we  are  not  interested  for  the  moment  in  policy 
documents  that  contain  provisions  representing  clearly  incomplete, 
piecemeal  elements  associated  with  computer  security.  Examples 
here  are  Defense's  Information  Security  Program  Regulation,  which 
includes  security  marking  provisions  for  some  ADP  media,  or  Defense's 
directive  on  "Life  Cycle  Management  of  Automated  Information 
Systems,"  which  cites  computer  security  requirements  as  a  policy 
consideration — neither  of  these,  however,  set  forth  computer 
security  policies  in  any  comprehensive  and  enumerative  sense. 

It  is  recognized  that  subjective  judgment  is  necessarily  a 
part  of  completing  the  questionnaire.  The  primary  consideration  for 
survey  purposes  with  regard  to  various  policy  attributes  is  presence 
or  eibsenca,  not  relative  degree  of  ccxnpleteness.  For  example,  on 
question  7.a. (1),  a  policy  document  may  assign  program  responsibility 
poorly  (e.g.  fragmented  assignment  to  multiple  organizational 
entities,  with  no  one  entity  having  overall  responsibility),  but  it 
does  assign  computer  security  responsibilities.  Also,  inferences 
should  be  made  if  the  words  in  the  questionnaire  do  not  clearly 
match  verbiage  in  the  document.  Fos  example,  relating  to  question 
S.c. (1),  DoO  Directive  5200.28  does  not  anywhere  use  the  term  "life 
cycle,"  but  it  does  require  that  continued  approval  for  processing 
classified  information  in  an  AOP  system  be  based  upon  recurring 
security  evaluation  of  the  system.  In  this  case,  the  question  should 
be  answered  with  an  "X"  since  the  provisions  imply  "cradle  to  grave" 
system  security  monitorship. 

Please  call  if  you  have  questions  on  borderline  areas  such  as 
the  foregoing,  as  this  will  help  to  assure  consistency  in  the 
survey  results. 

Specific. 


2.  Essentially  self-explanatory.  However,  whore  there  is  one 
document  amplified  or  supplemented  by  another  document  of  the  same 
scope  and  applicability,  please  complete  one  copy  of  the  questionnaire 
for  both  documents  (e.g.  OoO  Directive  5200.28  and  its  companion 
manual  doO  5200. 28-M,  and  DOE  Order  5636.2  and  its  associated  DOE 
Manual  5636.2) . 


3. a.  Don't  spend  time  hunting  outside  of  the  document  itself 
for  these.  For  DoO  documents  implementing  DoD  Directive  5200.28, 
however,  the  "X”  should  be  entered  for  E.O.  12065,  because  the 
implementations  are  tertiary. 

3. b.&c.  "X"  only  those  that  are  cited. 

4. b.  has  been  modified  to  indicate  "all  (or  most)  department/ 
agency  contractors"  in  recognition  of  a  provision  in  the  Industrial 
Security  Manual  (covering  DoO  Component  and  16  other  Executive 
Branch  department  and  agency  classified  information  with 
contractors)  that  excludes  only  government-owned,  contractor- 
operated  systems  located  on  government  premises. 

8.  Unless  easily  found,  leave  blank,  and  I  will  enter  this  from 
the  GSA  Inventory  where  appropriate. 


COMPUTER  SECURITY  POLICY  OOCUMENTS  REVIEUEO 


--Oepartinent/Aqency  Level  Oocuinents-- 


Department  of  Defense 

DoO  Directive  5200.28,  "Security  Requirements  for  Automatic  Data 
Processing  (ADP)  Systems" 

DoO  Manual  5200. 28-M,  "ADP  Security  Manual — Techniques  &  Procedures 
for  Implementing,  Deactivating,  Testing,  and  Evaluating  Secure 
Resource-Sharing  ADP  Systems" 

Assistant  Secretary  of  Defense  Comptroller  Memorandum,  "Interim  Policy 
on  Safeguarding  Personal  Information  In  ADP  Systems" 

Section  XIII,  "Security  Requirements  for  APP  Systems,"  DoD  Manual  5220. 22-M, 
"Industrial  Security  Manual  for  Safeguarding  Classified  Information" 

DoO  Manual.  C-5030.58-M,  "Defense  Special  Security  Communications  System- 
Security  Criteria  and  Tel ecotiwunlcat Ions  Guidance  (U)" 

Army  Regulation  380-380,  "Automated  Systems  Security” 

OPNAVINST  5239.1,  "Department  of  the  Navy  Security  Program  for  Automatic 
Data  Processing  Systems" 

Air  Force  Regulation  300-8,  "Automated  Data  Processing  System  (AOPS) 

Security  Policy,  Procedures,  and  Responsibilities" 

Air  Force  Regulation  300-13,  "Safequarding  Personal  Data  In  Automatic 
Data  Processing  Systems" 

OIA  Regulation  50-23,  "Security  Requirements  for  Automatic  Data 
Processing  (AOP)  Systems" 

OIA  Manual  50-4,  "Security  of  Compartmented  Computer  Operations  (U)" 

OIA  Manual  50-5,  "Sensitive  Compartmented  Information  (SCI)  Contractor 
Administrative  Security  —  Volume  II  (U)" 

NSA/CSS  Directive  10-27,  "Security  Requirements  for  Automatic  Data 
Processing  (ADP)  Systems" 

NSA/CSS  Manual  90-4,  "ADP  Security  Design  and  Operating  Standards  (U)" 
Department  of  Energy 

DOE  Order  5636.2,  "Security  Requirements  for  Classified  Automatic  Data 
Processing  Systems" 

DOE  Manual  5636.2,  "Computer  Security  Guidelines  for  Classified  Automatic 
Data  Processing  Systems" 

DOE  Order  1360.2,  "Computer  Security  Program  for  Unclassified  Computer 
Systems" 


NASA 


NASA  Management  Instruction  2410.7,  "Assuring  Security  and  Integr  ity  of 
NASA  Data  Processing" 
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Deoartnient  of  Transportation 

DOT  Order  1640.7,  "Department  of  Transportation  Automatic  Data  Processing 
Security  Policy" 

DOT  Order  1640.8,  "Department  of  Transportation  Automatic  Data  Processing 
Security"  (DOT  ADP  Security  Handbook) 

Department  of  Treasury 

DOT  Order  102-3,  "Personnel,  Physical  and  Automatic  Data  Processing  (ADP) 
Systems  Security  —  Organization  and  Delegation  of  Authority" 

Treasury  Directive  10-08,  Part  VII,  "ADP  Resource  Protection" 

Treasury  Directive  10-08,  Part  VII,  "ADP  Privacy  Act  Guidelines" 

Treasury  Directive  10-08,  Part  VII,  (DRAFT)  "ADP  Resource  Protection 
Guldel Ines" 

Department  of  HEW 

Part  6,  "ADP  Systems  Security,"  Chapter  6-00,  HEW  ADP  Systems  Manual 
Department  of  Agriculture 

Chapter  6,  "ADP  Security  and  Privacy,"  Departmental  Information  Processing 
Standards  (DIPS)  Manual 

"ADP  Security  Handbook,"  USDA  DIPS  Manual  Supplement 
Department  of  Justice 

DOJ  Order  2640.2,  "Automatic  Data  Processing  (ADP)  Security" 

Nuclear  Regulatory  Commission 

Part  XII,  "Security  of  Automatic  Data  Processing  Systems,"  Appendix  to 
NRC  Manual  Chapter  2101,  "NRC  Security  Program" 

Part  XVII,  "Automated  Information  Systems  Security  Program  for  Sensitive 
Data,"  Appendix  to  NRC  Manual  Chapter  2101 


National  Level  Documents 


Office  of  Management  !>  Budget,  Executive  Office  of  the  President 

Transmittal  Memorandum  No-  1  to  0MB  Circular  A-71,  "Security  of  Federal 
Automated  Information  Systems",  to  include,  by  direction: 


°  Federal  Personnel  Manual  Letter  732-7,  "Personnel  Security  Program  for 
Positions  Associated  with  Federal  Computer  Systems,"  (Subsequently 
incorporated  i‘n  the  FPM  as  Section  9,  Subchapter  1 ,  Chapter  732) 

®  Federal  Personnel  Manual  Bulletin  732-2,  "Authorities  and  Guidelines 
for  Investigations  of  Persons  Having  Access  to  Federal  Computer 
Systems  and  Information  in  Those  Systems" 

®  Amendment  to  Federal  Property  Management  Regulations  Part  101-35 

to  add  101.35.3,  "Security  of  Federal  ADP  and  Telecommunication 
Systems" 

*  Amendment  to  Federal  Property  Management  Regulations,  Subpart  101-36.7, 

retitled:  "Environmental  and  Physical  Security" 

®  Amendment  to  Federal  Procurement  Regulations  to  Section  1-4,1104, 

"Request  for  Procurement  Action,"  to  include  computer  security 
requi rements 

*  Amendment  to  Federal  Procurement  Regulations  to  add  Section  1-4.1107-21, 

"Computer  Security  Requirements" 

0MB  Circular  A-108,  "Responsibilities  for  the  Maintenance  of  Records  About 
Individuals  by  Federal  Agencies" 

U.S.  Security  Authority  for  NATO  Affairs 

Section  X,  "Protection  of  NATO  Classified  Information  Handled  and  Stored 
in  Automatic  Oata  Processing  Systems  (U),"  Enclosure  1  to  USSAN 
Instruction  1-69,  "Implementation  of  NATO  Security  Procedure  (U)" 


--  Executive  3r.if.eh  Seg^rtneata  i  \genelea** 

-  Totil  agencies :  15 

•  Totnl  docuaeats :  32 

SURVEY  -  Totnl  Hue 8 t tonne Ires :  27 

SXECOTIVE  SRAKCH  COMPUTER  SEOHITT  POLICY  DOCUMETO 

1.  depARIMEBT/^DICY  PROMJLOAtxSC  TEE  OOCUMEBT 

2.  DOCOMEIT  mniTIFICATIOu 


3.  AtiTg)Rrr*riyE  b*sis(ss)  tor  policy 


a.  FertainlnE  to  cL*8«lfted  Rational  Security  Inf onaatlon ; 

(1)  Executln  Order  12065i  "Rational  Security  Laf oraatlon, "  June  23, 
1978: 

(2)  OSSAR  (Udlted  States  Security  Authority  for  RATO  Affairs} 
Meaorandum  Ro.  1,  "LBplemntatlon  of  RATO  Security  Procedure  (U),” 
17  Dec  1973 >  *•  aosnded  (pertaining  to  RATO  elseslfled  Infonsation 

(3)  AtoBle  Energy  Act  of  195^»  aa  soended  (Public  Lew  93-A38» 
pertaining  to  "Restricted  Data"  g  Formerly  Restricted  Data" ) : 

(b)  Special  access  prograos  for  "intelligence''  (l.e.  "Foreign 
Intelligence"  and  "counterlntelllgenee”  per  EO  12036,  (8), 
below)  under  the  cognisance  of  the  Director  of  Central 
Intelilgence  (e.g.  OCD  Ro.  l/l6): 

(5)  Other  Departtnent/Agency  Special  Acceaa  Progress  (e.g.  Dept,  of 
Defense  —"Single  Integrated  Operational  piau.actrcaely  Sensitive 
Liformatlon/SIOP-ESI" ) : 

(6)  ficeeutlve  Order  IO665,  "Safeguarding  Classified  Information 
Within  industry,"  February  20,  I960,  as  emended: 

(7)  Presidential  Directive /hsc -2b  ("PD-2b"),  16  Rov  77: 

(3)  Executive  Order  I2036,  "United  States  Intelligence  Activities," 
January  26,  1978; 


17  (63*) 

;  0 

2  (7%) 

3  (30*) 

0 

b  (15*4) 

_2 _ 

2  (7i) 
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(9)  ”N»tlon*l  Comnunlciniona  Security  Directive  (U),"  20  Jun  1979: 

t.  Pertaining  to  Unclassified  Infomation: 

(1)  Privacy  Act  of  W**  (PubUe  Law  93-579.  5  U.3.  C.  552a); 

and/or; 

0MB  Circular  A.106,  "Responsibilities  for  tbe  Maintenance  of 
Records  About  Individuals  by  Federal  Agencies,"  July  1,  1975. 

•a  aoended  and  suppleoented : 

(2)  Transmittal  Msswrandum  Ro.  1  to  0MB  Circular  Ro.  A>71,  Security 
of  Automated  Inforastion  Systems,"  July  27,  1978: 

(3)  Records  vlthtaeld  from  public  disclosure  under  the  Freedom 
of  mforrnation  Act  (5  U.S.C.  552): 

c.  Other  General,  Authoritative  Bases: 

(1)  Prohibited  Disclosure  of  confidential  government  information 
(18  U.3.C.  1905): 

(2)  Federal  Reports  Act  -  Unlawful  disclosure  of  information; 
controlled  release  to  other  agencies  (kk  U.S.C.  3506): 

(3)  Unlawful  personal  use  of  public  money,  property  or  records 
(18  U.S,C.  6A1); 

(A)  Robbery  of  personal  property  of  the  U.S.  (I8  U.S.C.  2112); 

(5)  Injury  or  destruction  of  U.3.  property  (Ifl  U.S.C.  I36I); 

(6)  Willful,  unlawful  concealment,  resnval  or  mutilation  of  any 
record  or  other  item  filed  with  the  U.S.  (I6  U.S.C.  2071): 

(7)  FPMR  (Federal  Property  Management  Regulation)  101-36.7, 
Management  and  Control  of  Cosgniter  Rooms  and  Related  Support 
Areas,"  June  15.  19^: 

(8)  FPm  101-35.17.  "Privacy  and  Data  Seeur^  for  Aup  and 
Telaconminications  Systesm,"  June  16,  1978: 

(9)  FPm  IOI-3A,  "Boergency  Preparedness  Planning,"  June  I6,  1978: 

d.  Other  Authorities  Cited  —  Please  identify  fully  as  in  2.,  above,  and 
attach  the  information  to  this  questionnaire. 

A.  APPLICABHITY  of  POUCT  (Please  "X"  aU  that  apply); 

a.  Applies  to  the  department/agency  Identified  in  1.,  above,  and  its 
components  and  facilities: 

b.  Applies  to  an  (or  most)  department/agency  contractors  (i.e.  any 
industrial,  educational,  conerclai  or  other  entity  which  has  executed 
a  contract  with  the  department/agency): 


A  (15%) 

U  (AlH) 

3  (11^) 
a  (30») 
2  (7*) 


25  {93i) 

23  (35*) 
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5-  PSOTCCTIOH  SCOPE  (Pl**«e  "X"  *11  th*t  *re  Included  withla  th*  policy  docuaent): 


%.  lnfoni*tloo/d*ta 


(1)  Classified  VatloDal  Security  Inforaatlon:  t7M.\ 

and/or 

Unclassified  "Rational  Security  Related  Inforaatlon:''  fl 

(2)  Personal  Inforaatlon  relating  to  individuals  ("Privacy'?): 

(3)  Other  agency/departaent  "sensitive  Inforaatlon”  and  records:  lit 

(1)  Adp  syateas  (l.e.  "Autoaatle  Data  Processing  eq.ulpaent,''  Including 
computers  and  auxiliary  or  accessorial  equipment  such  as  l/o 
devices  and  ccmnlcatlons  equipment }: 

(2)  Areas  bousing  Aop  syateas  or  their  coaponents  (e.g.  physical  areas 
containing  aain  fr*ai  or  remote  terminals ) : 

(3)  Computer  Programs  (l.e.  software) 

(A)  Other  MJP  resources  and  supplies: 

Does  the  policy  generally  contain  security  requirements  pertaining 
to  the  entire  life  cycle  of  ("X"  If  answer  Is  "yes"): 

(1)  The  Adp  or  computer  systems  concerned;  23  (55^) 

(2)  Individual  data/appUeatlon  systems:  17  {Sjj) 


6.  COMPUTER  SECURITY  SUBDISCIPI.IBES  SPSCITICAIJg  IRCIUEED  (Ple*se  "X"  au 
requirement  sets  that  are  Included  In  the  policy  document,  to  include 
requirements  that  may  he  enumerated  In  a  separate  document  —  e.g.  the 
computer  security  document  requires  personnel  security  or  eonaunlcatlons 
security  actions  set  forth  In  a  referenced,  separate  document): 


a. 

Personnel  Security: 

26  (96*) 

h. 

Physical  Security: 

27  (100*) 

c. 

Ccnunlcatlons  Security: 

21*  (89*) 

d. 

Onsnatlons  Security; 

19  (70*) 

e. 

Administrative /Procedural  Security: 

26  (96*) 

f. 

Hardware /Software  Security; 

26  (96*) 
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PROGRaJl  COMPONENT  ELEMENTS  (Please  "X"  all  that  are  included  in 
essence  within  the  document) : 


a.  Assignment  of  Responsibility: 

(1)  For  computer  security  within  the  Agency  or  Department 
(i.e.  specification  of  a  headquarters  staff  element 

as  responsible  for  policy  promulgation  and  program 
oversight)  :  26 

(2)  For  specific  AOF  systems  or  AOP  installations  (e.g. 

Appointment  of  ADP  System  Security  Officers) :  2S 

b.  Management  Control  Process  to  asstire  that  administrative, 
physical,  technical  and  other  safeguards  are  included  in 

agency  computer  systems:  26  fg6<) 

c.  Formally  designated  approving  authority  for  the  security 

aspects  of  covered  AOP  systems:  pi 

d.  Overall  security  specifications/requirements:  23  (855t) 

e.  Review,  teat  and/or  evaluation  required  as  basis  for  system 

approval  for  operation:  20  (7**^) 

f.  Audit  or  other  follow'-up  system  or  program  security 

evaluations :  21  (78^) 

g.  RisJc  Analysis  or  Risk  Assessment  methodologies  19  (70%) 

h.  Security  Requirements/Specifications  Applicable  to 

Procurement  (i.e,  equipment,  systems  or' related  services):  20 

i.  Requirements  for  Contingency  Planning:  I8  (67^) 

j .  Personnel  Screening  Requirements  21  (78») 

k.  Specification  of  an  authority  to  grant  waivers:  15 

l.  Requirement  to  specify  an  AOP  security  budget;  **  (15^) 


sxarrsT 


affiCOTITE  3aA*fC2  CCMPVESa  SSCURIK  PQLTC?  DCCCMEBTS 


**8cw*aT  —  B«iomL  mm** 

••Total  teeoHOta:  13 
••Total  qaMttOHMtroa :  5 
•<4otal  pacoo:  126 


MmiCWILErr  of  POUCT  (nta*#  "X"  au  that  apply): 

a.  Appllaa  to  ttn  dapartaaat/aganey  IdaatlTlad  la  l.>  ahcivo>  and  Ita 

eaapoaaata  aod  ftcUltlaa:  5  (ICOlt) 

h.  Appllaa  to  an  (or  a»at)  dapartant/agoaey  eaatr«etora  (l.a.  aay 

ladustnal,  adoeatlooal,  eaaaaretai  or  othar  aatlty  vfaieh  haa  axaeutad 
a  eontroet  with  tha  dapaptaaBt/agaacy):  5  (lOO^t) 
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5.  PROTECnOH  5C0P5  (Pl«««e  "X"  tWt  are  laeluded  vlthla  tie  policy  docuaieat): 
«.  Iafaraiation/d«ta 


(1)  ClMelfied  xatlonal  Security  lof oraetioB :  U  (Q(A) 

■ad/or 

Qtaeldealfied  "ir«tiaii«l  Security  Seiated  laforaetlon:'*  1  (20%) 

(2)  Persoael  infBraetlon  relating  to  IsdiTlduals  ('^ivaey'T):  3  (6oO 

(3)  Other  egeaey/departeent  "senaitlve  infomdtioB''  end  records:  2  (htA) 

b.  (1)  ASP  syatema  (i.e.  "Autoastic  Oet*  Processing  eqTiipncBt,"  Including 

eoaputera  end  auzlliery  or  accessorial  e<{ulpBent  such  as  l/o 

derleea  aod  cf—unl  cations  equlTsent):  5  (lOOlt) 

(2)  Areas  housing  AQp  syatesH  or  their  components  (e.g.  physical  areas 

coBtaiaing  main  fraaa  or  reaote  terminals):  h  (80^) 

(3)  Computer  Programs  (i.e.  softsere)  ^  (80^) 

(h)  other  AOP  resources  Sod  supplies:  3  (60*^) 

c.  Does  the  policy  generally  contain  security  re^iulreaents  pertaining 
to  the  entire  Ufa  cyela  of  ("X"  if  answer  la  "yea”): 

(1)  The  AdP  or  eompater  syatema  concerned: 

(2)  EadlTldual  data/appUcatlon  systems: 


6.  OOMPOTSR  SSCCRirr  saBPBClPmreS  SPBCglCAia  ISCIDIXSS  (Pleaae  "X"  au 
requlrenent  sets  than  are  included  in  the  policy  document  >  to  include 
req:ulremente  that  may  be  emaarated  in  a  separate  doetaaent  —  a.g.  the 
computer  security  doeumant  raqmlrea  panonnel  security  or  eoanunlcatlons 
security  actloaa  set  forth  in  a  referenced,  separate  document): 


a.  Personnel  Security:  ^  (Soj) 

b.  Phyelcal  Security;  5  (lOOO 
e.  CoHunlcatlona  Security:  5  (lOOi) 

d.  assnatlons  Security:  3  (Soj) 


e.  AdmlnistratlTe/Procedural  Security:  5  (100^) 

f.  Bardeere/Softwere  Security;  ?  (100%) 


Pj^OGPAM  COMPONENT  ELSMEMTS  (Please  "X"  all  that  are  included  in 
essence  within  the  document) : 


a.  Assignment  of  Responsibility: 

(1)  For  computer  security  within  the  Agency  or  Department 
(i.e.  specification  of  a  headquarters  staff  element 

as  responsible  for  policy  promulgation  and  program 

oversight)  :  n  fton*^ 

(2)  For  specific  AOP  systems  or  AOP  installations  (e.g. 

Appointment  of  AOP  System  Security  Officers) :  U  (flo*) 

b.  Management  Control  Process  to  assure  that  administrative, 
physical,  technical  and  other  safeguards  are  included  in 

agency  computer  systems:  s  (1Q04\ 

c.  Formally  designated  approving  authority  for  the  security 
aspects  of  covered  AOP  systems: 

d.  Overall  security  specifications/requirements:  5  (lOOt’ 

e.  Review,  test  and/or  evaluation  required  as  basis  for  system 

approval  for  operation:  ^  (80i) 

f.  Audit  or  other  follow-up  system  or  program  security 

evaluations :  ^  (8oi) 

g.  Rislc  Analysis  or  Rislc  Assessment  methodologies  3  (60%) 

h.  Security  Requirements/Specifications  Applicable  to 

Procurement  (i.e.  equipment,  systems  or  related  services)  :  *  3  (oOjt) 

t.  Requirements  for  Contingency  Planning:  1  (80^) 

j .  Personnel  Screening  Requirmaents  ^  (8o%) 

Ic.  Specification  of  an  authority  to  grant  waivers:  ** 

1.  Requirement  to  specify  an  AOP  security  budget;  ^  (20^) 


January  1979 

AGENCY  COMPUTER  SECURITY  PROGRAM  CHECKLIST 

CJse:  To  determine  whether  agency  security  programs  conform 
to  the  requirements  of  0MB  Circular  No.  A-71,  Transmittal 
Memorandum  No.  1  dated  July  27,  1978. 

Agency :  . 

Date  of  Plan(s): _ 

i^SIGNMENT  OF  RESPONSIBILITY  FOR  COMPUTER  SECURITY 

(  )  Has  the  agency  identified  the  individual  having  lead 

responsibility  for  computer  secxirity? 

•  Name  of  Individual _ 

•  Title _  . 

•  Mailing  Address _  . 

•  Phone  Number 

(  )  Has  the  agency  assigned  responsibility  for  computer 

secxirity  at  each  headquarters  and  field  organization? 

(  )  Have  the  names  and  titles  of  individuals  responsible 

for  con^uter  security  at  each  facility/installation 
been  Identified? 

(  )  Do  the  individuals  assigned  responsibility  for  computer 

security  have  both  computer  Md  security  experience? 

(  }  Has  responsibility  for  computer  secxirity  been  formally 

assigned? 

•  By  delegation  memo? _ 

•  By  job  description? _ 

"  By  charter  statement? _ 

•  Other? _ 

MANAGEMENT  CONTROL  PROCESS  FOR  COMPUTER  APPLICATIONS 

(  )  Has  the  agency  described  a  management  control  process 

to  assure  that  appropriate  administrative,  physical 
and  technical  safeguards  are  built  into  all  computer 

systems? 

APPBISIX  ? 
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(  )  Has  the  management  control  process  been  formally 

promulgated? 

(  )  Does  the  process  allow  for  evaluation  of  the 

sensitivity  of  each  current  aind  new  computer 
application? 

*  Does  the  process  define  the  relative  roles  of  the 
user,  developer  and  operator  of  systems  in  deter¬ 
mining  the  sensitivity  of  systems? 

®  Who  makes  the  final  system  sensitivity  determination? 

SECURITY  SPECIFICATIONS 

(  )  Does  the  agency  management  control  process  provide  for 

defining  and  approving  security  specifications  prior  to 
prograumaing  new  applications  or  making  signific2uit 
changes  to  old  applications? 

(  )  Does  the  security  specification  development  and 

approval  process  provide  for  consideration  of  the 
views  of  the  user,  the  developer,  the  service  organiza¬ 
tion,  the  individual  assigned  responsibility  for  com¬ 
puter  security,  and  agency  audit  staff? 

(  }  Does  the  process  define  "significant  chemges  to 

existing  systems"  and  establish  procedures  for 
approval  of  secvirity  provisions  prior  to  making 
changes  to  existing  systems? 

(  )  Does  the  plan  identify  a  date  by  when  a  review  of 

security  specifications  for  existing  systems  will  be 
completed?  Dates  by  when  corrective  action  will  be 
completed? 

(  )  Is  the  final  authority  for  approving  computer  system 

security  specifications  clearly  defined  and  formally 
established? 

®  Who  makes  the  decision? _ 

(  )  Do  the  procedures  assure  that  provisions  of  the  approved 

security  specifications  are  incorporated  in  agency 
administrative  procedures  and  programming  specifications? 

•  Who  is  responsible  for  follow-up? _ 
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DESIGN  REVIEW  PROCESS 

(  )  Do  the  agency  procedures  establish  requirements  and 

responsibilities  for  conducting  desi^  reviews? 

(  }  Does  the  design  review  process  provide  checks  and 

balances  to  assure  adherence  to  the  approved  security 
specification? 

(  }  Does  the  procedure  provide  for  documenting  design 

review  results? 

(  )  Is  the  responsibility  for  approving  system  designs 

subsequent  to  design  reviews  established? 

*  Who  approves? 

SYSTEM  TEST  PROCESS 

(  )  Do  the  agency  procedures  establish  requirements  amd 

responsibilities  for  conducting  emd  approving  systems 
tests? 

(  }  Are  the  relationships  between  the  design  review  pro¬ 

cess  and  system  test  processes  esteUslished? 

(  )  Do  the  agency's  system  test  procedures  require 

testing  of  all  aspects  of  security  ~  including 
administrative  procedures,  financial  checks  and 
balances,  physical  security  and  technological 
security ' features? 

(  )  Are  the  results  of  previous  audits  considered  in 

the  test  procedures? 

(  }  Does  ^he  procedvire  provide  for  documenting  system 

test  .  3ults? 

(  )  Are  responsibilities  for  conducting  system  tests 

established? 

•  Who  is  responsible? 

SYSTEM  GERTIE ICATION  PROCESS 

(  )  Does  the  agency  management  control  process  preclude 

operation  of  any  new  or  modified  system  prior  to 
satisfactory  completion  of  systems  tests? 
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(  ]  Oo  the  certification  procedures  assure  conformance  to 

approved  security  specifications? 

{  )  Do  the  certification  procedures  assure  that  all 

applicable  Federal  policies ,  regulations ,  and 
standards  have  been  complied  with? 

(  }  Do  the  procedures  provide  for  periodic  recertifica¬ 

tion  of  systems? 

(  )  Do  the  procedures  provide  for  certification  of  all 

current  operational  systems? 

*  When  will  they  be  completed? 

(  )  Does  the  agency  prograun  define  policies ,  criteria ,  and 

timetables  for  periodic  recertification  of  systems? 

(  )  Are  responsibilities  for  certification  and  recertifica¬ 

tion  of  systems  established? 

*  Who  is  responsible? 

ADD IT/EVALUATION  REQUIREMENTS 

(  }  Does  the  agency  progreuns  make  a  distinction  between 

security  audits  euid  seciirity  evaluations? 

(  )  Have  audit  requirements  been  formally  established? 

*  Who  is  responsible? _ 

(  )  Have  evaluation  requirements  been  formally  established? 

*  Who  is  responsible  for  the  evaluation  progreun? 

*  What  organizations  will  participate  in  the  security 
evaluation  process? 

(  )  If  agency  program  includes  both  audits  and  evaluations  — 

has  a  coordination  mechanism  been  established  between 
audit  and  evaluation  groups? 

*  Who  is  responsible? _ . 

(  )  Has  a  master  audit/evaluation  schedule  been  prepared? 

*  Have  criteria  been  established  for  determining  the 
priority  of  audits/evaluations? 
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®  Are  high  risk  or  highly  sensitive  applications 
identified? 

**  Have  timetables  been  established  for  conducting 
audits/evaluations  of  all  sensitive  applications 
esteUalished? 

*  Is  the  interval  for  periodic  audits/evaluations 
equal  or  less  than  three  years? 

{  }  Is  the  audit  or  evaluation  performed  by  an  organization 

independent  of  the  user  and  computer  facility  manager? 

(  )  Have  computer  audit  and/or  evaluation  guidelines  been 

estaiblished? 

(  )  Where  applicable,  are  computer  system  audit  require¬ 

ments  incliuied  in  agency  IG  implementation  plans? 

(  )  Are  the  documented  system  security  specifications, 

design  review  results,  system  test  results,  and 
system  certifications  made  available  to  the  audit 
and  evaluation  staffs? 

(  )  Has  the  agency  established  aui  information  system 

audit/evaluation  training  program? 

(  )  Does  the  audit/evaluation  fiinction  include 

*  Eacauttination  of  data  sensitivity? 

®  Verification  and  validation  of  the  adequacy  of 
physical,  administrative,  financial,  and  technical 
control? 

"  Adequacy  of  security  administration? 

RISK  ANALYSIS  PROCESS 

(  )  Has  the  agency  assigned  responsibility  for  conducting 

periodic  risk  auialyses? 

*  Who  is  responsible? _ . 

(  )  Does  the  risk  analysis  adequately  measure  the 

vulnerabilities  at  the  installation? 


Related  to  the  potential  for  fraud  or  theft? 
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®  Related  to  the  potential  for  inadvertamt  error  or 
improper  disclosure  of  information? 

*  Related  to  the  potential  financial  ris]c? 

”  Related  to  the  potential  of  causing  harm  to  individuals 
or  infringing  on  their  rights  of  privacy? 

”  Related  to  the  protection  of  proprietary  data  auid 
potential  harm  to  business? 

(  )  Has  the  relationship  between  the  organization  responsible 

for  conducting  risk  analyses  and  other  organizational 
elements  been  defined? 

®  Relationship  to  IG  function? 

*  Relationship  to  audit  function? 

«  Relationship  to  evaluation  function? 

*  Relationship  to  inspections  function? 

*  Relationship  to  security  f\inction? 

^  Relationship  to  progrsun  office? 

"  Relationship  to  computer  operational  function? 

(  )  Are  requirements  established  for  the  conduct  of  risk 

analyses  for  government-owned-contractor-operated 
(GOCO)  facilities  as  well  as  government  operated 
facilities? 

(  ]  Does  the  agency  program  include  provisions  for  assessing 

risks  related  to  computer  services  provided  by  other 
agencies  and  those  provided  through  commercial 
services? 

(  )  GSA  only  -  Have  provisions  been  made  to  assess  risks 

of  government-wide  services  provided  to  agencies  by 
or  through  GSA,  to  advise  agencies  of  the  level  of 
security  provided  by  those  services? 

(  )  Where  applicable,  are  the  requirements  for  computer 

risk  analyses  included  in  agency  vulnerability  assess¬ 
ment  plans  being  developed  to 'implement  the  I.G. 
legislation? 
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(  )  Has  a  specific  timetable  for  conducting  risk  emalyses 

been  established? 

*  Is  the  interval  between  risk  auialyses  commensurate 
with  the  sensitivity  of  the  information  processed? 

**  Is  the  interval  between  risk  analyses  less  than 
five  years? 

(  )  Where  sensitive  applications  represent  only  a  small 

portion  of  the  workload  of  a  particular  computer, 
has  consideration  been  given  to  moving  the  applications 
to  a  secure  installation  and  avoiding  the  need  to 
secure  the  complete  installation  for  a  small  portion 
of  its  workload? 

(  )  Oo  the  agency  procedures  require  that  a  risk  analysis 

be  performed: 

*  Prior  to  the  approval  of  design  specifications 
for  computer  installations? 

*  Whenever  there  is  a  "significant  chauige"  to  the 
physical  facility,  hardware  or  operating  system 
software? 

(  )  Has  the  agency  defined  "significant  chemge"? 

(  )  Is  the  definition  of  "significant  change”  commensiirate 

with  the  sensitivity  of  the  information  processed  by 
the  installation? 

(  )  Are  NES  draft  guidelines  on  conducting  risk  assess¬ 

ments  included  in  agency  guidance? 

PROCUREMENT  REQUIREMENTS 

(  )  Have  agency  policies  and  procedures  been  established  to 

assure  that  security  requirements  are  included  in 
specifications  for: 

*  Equipment? 

"  Computer  processing  services? 

"  Facility  management  services? 

"  General  purpose  software? 


o 


Operating  system  software? 

Design  or  programming  of  applications? 
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(  ]  Are  the  specifications  reviewed  by  the  security 

official  to  verify  that: 

*  They  are  reason^U3ly  sufficient  for  the  intended 
application. 

®  That  they  con^ly  with  current  Federal  computer 
security  policies,  procedures,  standards  and 
guidelines . 

(  )  Have  the  requirements  been  incorporated  in  the  agency 

procurement  policies  and  regulations? 

(  )  Do  the  procedures  re<^ire  review  of  the  adequacy  and 

security  provisions  in  current  contracts,  consider 
the  feasibility  of  renegotiating  existing  contracts 
where  appropriate,  or  modifying  the  terms  of  existing 
contracts  prior  to  renewing  the  contracts  or 
exercising  any  extension  options  under  the  contracts? 

(  )  Has  responsibility  for  these  matters  been  assigned? 

*  To  whom? _ 

CONTINGENCY  PLANS 

(  )  Has  the  agency  established  policies  and  responsibilities 

to  assure  that  contingency  plans  (in  the  event  of  natural 
disaster,  hardware/software  failure,  or  any  events  which 
could  cause  a  si^ificant  description  of  service)  are 
developed  and  maintained? 

(  )  Are  the  contingency  and  back-up  requirements  established 

by  the  agency  commensurate  with  the  risk  and  magnitude 
of  potential  loss? 

(  ]  Are  the  contingency  plans  reviewed  and  tested  at  periodic 

intervals?  What  intervals? _ 

(  )  Are  the  test  intervals  commensurate  with  the  risk  and 

magnitude  of  potential  loss? 

PERSONNEL  SCREENING  REQUIREMENTS 


(  )  Has  the  agency  established  personnel  security  policies 

for  screening  individuals? 
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(  )  Does  the  personnel  policy  provide  for  levels  of  screening 

comiaensurate  with  the  sensitivity  of  the  function? 

>{  )  Do  the  agency  policies  emd  criteria  consider  separation 

of  duties  in  sensitive  processes  so  that  each  position 
would  be  less  sensitive? 

(  )  Have  screening  requirements  for  contractor  personnel 

been  estaiblished  and  implemented? 

(  )  Are  the  personnel  policies  consistent  with  PPM  letter 

732-7? 


RESOURCE  ESTIMATES  ($  in  thousands) 

One-time  Costs.  Staff- Years _ $ 

On-going  Costs.  Staff-Years _ $ 

GENERAL  COMMENTS 


REVIEWER: 

DATE: 


COMPUTER  SECURITY 


A  list  of  policies,  regulations,  reports  and 
other  reference  documents  pertaining  to  the 
development  of  federal  computer  security  pro¬ 
grams: 

«  To  reduce  fraud  and  waste. 

*  To  protect  personal,  proprietary  and 
other  sensitive  information. 


V 

Office  of  Management  and  Budget 
Inforsiation  S/sten^s  Policy  Division 
February  1979 


0MB  POLICIES 


*  0MB  Circular  No.  A-71,  Transmittal  Memorandum  No.  1, 
"Security  of  Federal  automated  information  systems," 
July  27,  1978  (Copy  attached) . 

-  Agency  Con^uter  Secxirity  Program  Checklist, 

Jamuary  1979  (Copy  attached) 

*  OHB  Circular  No.  A-108  as  amended,  "Responsibilities 
for  the  maintenance  of  records  about  individuals  by 
Federal  agencies,”  July  1975. 

FEDERAL  PERSONNEL  MANUAL  REQCIREMENTS 

"  FPM  letter  732-7  "Personnel  Security  Program  for 
Positions  Associated  with  Federal  Computer  Systems , " 
November  14,  1978. 

FEDERAL  PROCUREMENT  REGULATIONS 

*  FPR  1-4.11  "Proctirement  and  Contracting  for  Government¬ 
wide  Automatic  Data  Processing  Equipment,  Software 
Maintenance  Services,  and  Supplies,"  September  1976. 

"  FPR  1-1.327  "Protection  of  the  Privacy  of  Individuals," 
September  1975. 

FEDERAL  PROPERTY  MANAGEMENT  REGPLATIONS 

*  FPMR  101-36.7  "Management  euid  Control  of  Computer  Rooms 
and  Related  Support  Areas,"  June  15,  1978. 

*  FPMR  101-35.17  "Privacy  and  Data  Security  for  ADP  and 
Telecommunications  Systems,"  June  16,  1978. 

*  FPMR  101-20  "Management  of  Buildings  and  Grounds," 

June  16,  1978. 

*  FPMR  101-34  "Emergency  Preparedness  Planning,"  June  16, 
1978. 

*  FPMR  101-37.6  "Essential  Telephone  Services  During 
Emergencies,"  June  16,  1978. 

STANDARDS 


PIPS  PUB  46  "Data  Encryption  Standards,"  January  15, 
1977. 
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GUIDELINES 

“  FIPS  PUB  31  "Guidelines  for  ADP  Physical  Security  and 
Risk  Meuiagement , "  June  1974. 

“  FIPS  PUB  39  "Glossary  for  Computer  Systems  Security," 
February  15,  1976. 

"  FIPS  PUB  41  "Computer  Security  Guidelines  for  Imple¬ 
menting  the  Privacy  Act  of  1974,"  May  30,  1975. 

"  FIPS  PUB  48  "Evaluation  of  Techniques  for  Automated 
Personal  Identification,"  April  1,  1977. 

*  "Standard  Practice  for  the  Fire  Protection  of  Essential 
Electronic  Equipment  Operations"  published  by  the 
National  Fire  Prevention  and  Control  Administration  of 
the  Department  of  Commerce,  August  1978. 

GAO  REPORTS  -  which  identify  computer  system  design  and 

security  problems . 

«  FGMSD-76-S  "Improvements  Needed  in  Managing  Automated 
Decisiotunaking  by  Computers  Throughout  the  Federal 
Government,"  April  23,  1976. 

“  FGMSD-76-27  "Computer-Related  Crimes  in  Federal  Programs," 
April  27,  1976. 

*  FGMSD-76-40  "Meuiagers  Need  to  Provide  Better  Protection 
for  Federal  Automatic  Data  Processing  Facilities," 

May  10,  1976. 

®  FGMSD-77-32  "Computer  Auditing  in  the  Executive  Depart¬ 
ments:  Not  Enough  is  Being  Done,"  September  28,  1977. 

*  FGMSD-77-14  "Problems  Found  with  Government  Acquisition 
and  Use  of  Computers  from  November  1965  to  December  1976," 
March  15,  1977 

*  LCD-77-102  "Vulnerabilities  of  Telecommunications  Systems 
to  Unauthorized  Use,"  March  31,  1977. 

*  FGMSD-76-32  "New  Methods  Needed  for  Checking  Payments 
Made  by  Computers,"  November  11,  1977. 

*  FPCD-77-64  "Proposals  to  Resolve  Longstanding  Problems 

in  Investigations  of  Federal  Employees,"  December  16,  1977 

*  LCD  75-102  "Challenges  of  Protecting  Personal  Information 
in  em  Expanding  Federal  Computer  Environment,"  April  28, 
1978. 


*  LCD-76-115  "Safeguarding  Taxpayer  Information — An  Evalua 
tion  of  the  Proposed  Computerized  Tax  Administration' 
System,"  January  17,  1977. 

*  HRD-78-116  "Procedures  to  Safeguard  Social  Seciirity 
Beneficiary  Records  Can  and  Should  be  Improved," 

June  5,  1978. 

"  FQ4SD-78-27  "Inadequacies  in  Data  Processing  Planning 
in  the  Department  of  Commerce,"  May  1,  1978. 

“  CED-78-84  "Problems  Persist  in  the  Puerto  Rico  Food 
Stamp  Program,  The  Nation's  Largest,"  April  27,  1978. 

*  HRD-77-110  "Privacy  Issues  and  Supplemental  Security 
Income  Benefits,"  November  5,  1977. 

"  LCD-78-123  "Automated  Systems  Security  —  Federal 
Agencies  Should  Strengthen  Safeguards  Over  Personal 
And  Other  Sensitive  Data,"  January  23,  1979. 

REFERENCE  DOCUMENTS 


*  Senate  Governmental  Affairs  Committee  Print  -  "Problems 
Associated  with  Computer  Technology  in  Federal  Programs 
amd  Private  Industry,"  June  21,  1976. 

"  Senate  Governmental  Affairs  Committee  Print  -  "Computer 
Security  in  Federal  Programs,"  February  1977. 

"  The  Report  of  the  Privacy  Protection  Study  Commission  - 
"Personal  Privacy  in  an  Information  Society,"  July  1977. 

*  "Report  of  the  Commission  on  Federal  Paperwork,  Final 
Summary  Report,"  October  3,  1977;  and  "Confidentiality 
eind  Privacy,"  June  29,  1977. 

*  "Computer  Secxirity  Publications"  published  by  the 
Institute  for  Computer  Sciences  and  Technology  of  the 
National  Bureau  of  Standards,  July  1978. 


EXTRACTS  PROM: 


AppEiroiX  0 


ACTIVITIES  INCLPDED  IM  THE  AUDIT 


r 


Deoarcnenc  of  Defense 


Otiiem  a<  Clviliaa  BmIcA  «ii4  Itodle^  Bra^raa 
(or  t&a  Oaxiotsad  Sarvlcaa,  Oanvar.  CO 


Defense  Agencies 


Oafanaa  Caiuaieaelana  fcaaacy 


nf - Caaarelal  Ciiinnl  rattana  OStlea.  Seoce  Aiz  Focea 

■aaa.  ZX. 

Bafaaaa  Loaiatlea  Aaaaev 
OaZaaaa  Oapoc.  Osdaa,  Ot 

Oafaaaa  Faraoaaai  Sappon  Caaear.  fhtladalpeia»  M 
OaZanaa  Loslaales  Aqaacy  Adatlaiaezaclva  SupporB  Caaeae, 
Caaacoa  Staelaa.  xlaaaadcla.  VX 

Caatzaec  AdalaXaczacloa  Sarvleaa  Saploa.  Atlaaea.  SA 

Oafaaaa  iWelaar  Aaaaer 

■aaiqoarBana  Alaaaadzla.  VX 

AzBad  rozeaa  Badinhiolasy  laaaazeii  taaBltaea.  Saphaada »  HD 


Degereaene  of  the  Army 


laadonarBara 

Asap  AaeaaaBioa  Olratfeosaca.  OZSlea  sS  cOa  Otlmi  dC  StaSS, 

Acar,  WaaiUafcoa.  O.C. 

OSflda  a<  cba  AaaAacaae  CAiaS  at  SeaSS  far  taeallApaaea# 
eaahtnptaa,  O.C. 

Ca2e^^^_0aaiS3_AeBiTj,tla£ 

OS  Acar  Cd^uear  Syreaas  caaaaad.  Fb  salTOir.  FA 
Auceaaead  Ci^iacAea  HaaapaaaBB  fyacaas  Apaaer.  Fore  Zaa,  FA 
OS  Acar  Ftaaaea  and  Aceauaelap  Caaear.  Zadlaaa^IAs.  a 
OS  Acar  Hanapaeana  Srceaaa  Snppere  Afaoer.  VaaaABpcao,  O.C. 

Oaea  Froeaaalaa  laaeallaalaaa 

OS  Acar  Hllleacr  FarsoaaaX  Caaear.  Burapa.  laldalOarp.  ganwany 

21ac  Suppare  rrniaanrt.  fwaAbceaefcaa.  Cacaaay 

OS  Acar  Manapaaaae  Sraeoau  Suppare  Aqaaey.  WaaAXaooaa.  O.C. 

OS  Acar  KLIXearr  FaraoonaA  Caaear.  Aloaaadrxa.  VA 
OS  Acar  Fareaa  Cnaaaad.  Fere  MefBarsoa.  CA 
XFtZZ  AAcfiacna  Carpa  aord  Fare  Irapp.  Fare  Srapp.  PC 
OS  Acar  Fiaaoea  aod  AceauaeAap  Caaear.  CadAaoapolAJ .  Cl 
OS  Acar  Freop  Suppare  Caaoaad.  Se.  lauAa.  W 

OS  Arar  Aaaarva  Caoponaaea  Faraodoai  aod  AdBiaXaeraelaa  Caaear, 
se.  Cdttic.  NO 


Deoartnenc  of  che  Navy 


AvlaeAon  Supply  Cfflea.  FBiladalpaia.  FA 

Oaea  Freeaaaiap  Sarveea  Caaear  Faelfle.  Alaaada.  CA 

Flaae  Haearial  Suppare  Cfflea.  Hoe.naaieieurp.  FA 

Hara  Zalaiid  Haral  SUpyard.  FalZa}a.  CA 

Savai  Supply  Caaear.  Oaclaad.  CA 

Haval  Alt  Taae  Canear,  Faeuxaac  Alrar,  HO 

SMxpa  Farea  Ceaerel  Caaear,  HacCaaieiPurp.  FA 
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APPENDIX  A 
Page  1  of  2 


PX^mPED  IN  1HS  AUDIT 


Deparoent  of  the  Air  Force 


A«res2ae2_£a£2nsa_C£aand 

raearaos  JkLr  rorea  laaa>  C3 

Air  foraa  Laalialea  Ca—aad 

■aadiiaarura.  wri^tte-faesaraea  Air  tarcm  laaa.  01 
ileClaUaa  Air  forca  Saaa,  OL 
■oAiJsa  Air  ratem  laaa.  OL 

Air  tralalna  CaMaad 

laaalar  Xir  tarea  aaaa.  MS 
tafataial  Air  rorea  Baaa.  TZ 
SiMvraxd  Air  /area  Saaa.  tz 

xir  rorra  >vaaa—  e3«»aa«l 

XarosaaeiLeai  Syaeaaa  Olalalaa,  wrl«ae'>raesaxaea  Xic  ferea 
Baaa.  01 

Uvacda  Air  rorea  Baaa.  OX 

mileary  XlrllBe  Cnaiwaivl 

toadqoareara,  Scace  Xlr  rorea  Baaa.  n 
MsOttXra  Xlr  rorea  Baaa,  U 
Tssela  Xlr  rorea  BXaa.  OX 

Btraeaele  Xlr  Caanaad 

XadarooB  Xlr  recea  Baaa.  CViaa 
Baala  Air  rosea  Baaa.  CX 
rXacsaOunr  Xlr  rorea  Baaa.  MX 

Txerleal  Xlr  CaaaaiiO 

Haadcpiarearr.  Xaaoiay  Air  rorea  Baaa.  vx 
Baroacrea  Xlr  rorea  Baaa,  TZ 
NaeOlU  Xlr  rorea  Baaa.  n 

Caltad  Bxaeaa  Xlr  roreaa  In  Caroea 

■aaOquareara  nm,  Baaaeala  Xlr  Baaa,  Saraaar 
Baaaeala  Air  Baaa.  Sacoaay 
Torrajea  Xlr  Baaa.  Spaia 

raclfie  Xlr  rereaa 

Oaaa  Xlr  Baaa,  Korea 

Xlr  Macloaal  GaarO 

Xlr  Saeional  Ouard,  TOeaea.  At 

BueXlay  rlald.  CO 

Caaaally  rtald,  XX 

raaaa  Xlr  rorea  Baaa.  Ml 

Mill  Bofara  tauraaeloaal  Xlrpere,  01 


Xlr  rosea  xeeouaelao  «ad  riaaaea  Canear.  Oao^ar.  CO 
Xlr  rosea  Oaca  Syaeaaa  Saaiea  CaaOar.  Ouaear  Xlr  rosea  laaa, 
Moneooaary,  At, 
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REPORTS  ISSUES 


Report 


Defense  Audit  Service  Nucber 


Report  on  the  Audit  of  AOP  Systens 
Security  and  Privacy  at  the  Defense 
QSDinercial  OCRitunicationa  Office  838 

Report  on  His  Audit  of  AOP  Systans- 

Security  and  Privacy  at  Selected 

Defense  logistics  Agency  ^stivities  852 

R^rt  on  the  Audit  of  ACP  SystesB 

Security  and  Privacy  at  Selected 

Defense  Nuclear  Agency  Activities  862 

Report  on  the  Audit  of  ACP  Systaos 
Security  and  Privacy  at  the  Office 
of  the  Civilian  Health  and  Mail  cal 
Program  for  the  tMifozmed  Services  873 


Army  Audit  Agency 

Report  of  Audit,  Systan  Security  and 
Privacy  at  Data  Processing 

Installations  EC  77-219 

Naval  Audit  Service 

Audit  Survey  R^ort,  Securi'^ 

Considerations  in  Autrxnatic  Data 
Processing  Systats  Preventing  Fraud 
in  Si^ly  Operations  Z20086 

Air  Force  Audit  Agency 

Interservice  Audit  of  Computer 

Systems  Security  and  Privacy  SRA  75333 


Date 

Dec  6,  1977 

Fet  7,  1978 

Mar  7,  1978 

Mar  28,  1978 

Aug  31,  1977 

Nbv  23,  1977 

Dec  21,  1977 
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PROPOSED  DOD  SENSEPiriTr  CATEGORIES 


S«n«itivitT  Categories  —  Data  & 

ADP  I.  '•Crlcieal-SaBsltive".  DoO  <lab|  aad  applicaciona  stored  or  processed 
in,  or  coomuaicated,  displayed  or  dissefflinaCed  by,  an  Autoaatic  Data 
Processing  (ADP)  Systea  sball  be  categorized  as  ASP  I  when  one  or  aore 
of  Che  following  criteria  are  aet: 

-  Top  Secret  national  Security  Information  —  The  data  or  applica¬ 
ciona  require  protection  in  the  interest  of  national  security,  and  the 
classification  designation  is  "Top  Secret"  (DoO  Regulation  S200.1-R); 

•  Mission  Critical  —  The  data  or  applications  are  such  that  Che 
denial  of  use,  loss,  coaproaise,  disableaent  or  vinauthorized  alteration 
thereof  could  reasonably  be  expected  to  directly  and  gravely  degrade  or 


APFSrOIX  H 


jeopardize  the  capabilities  of  a  Ililitary  Department,  the  Joint  Chiefs 
of  Staff,  a  Defense  Agency  or  a  Dnified  or  Specified  Comound  to  timely 
and  effective  discharge  of  their  primary  functions  (DoD  Directive  5100.1) 
in  support  of  DoD  emergency  and/or  war  plans; 

-  Life  Critical  —  The  data  or  applications  are  such  that  the 
denial  of  use,  loss,  compromise,  disablement  or  unauthorized  alteration 
thereof  could  reasonably  be  ezpected  to  directly  and  gravely  jeopardize 
human  life ; 

-  Automated  Decisionmakine  Systems  —  Applications,  not  otherwise 
included  in  the  foregoing,  which  issue  checks,  requisition  supplies  or 
perform  sisular  assets  control  functions,  based  on  prograaoed  criteria 
with  little  human  intervention,  wherein  the  potential  loss  or  exploitable 
monetary  value  of  the  assets  handled  could  exceed  $10,000,000  per  year. 

ADP  II.  "Noncritical-Sensitive".  DoD  data  and  applications,  which  do 
not  meet  any  of  the  foregoing  criteria  for  category  ADP  I,  shall  be 
categorized  as  ADP  II  when  one  or  more  of  the  following  criteria  are 
net: 

-  Secret  or  Confidential  Wational  Security  Information  —  The  data 
or  applications  require  protection  in  the  interest  of  national  security, 
and  the  classification  designation  is  either  "Secret”  or  "Confidential" 
(DoO  Regulation  5200. 1-R); 

-  Mission  Critical  —  The  data  or  applications  are  such  that  the 
denial  of  use,  loss,  compromise,  disablement  or  unauthorized  alteration 
thereof  could  reasonably  be  expected  to  degrade  or  jeopardize  component 
command  or  major  staff  element  cap^ilities  to  support  timely  and  effec¬ 
tive  discharge  of  Military  Department,  OJCS,  Defense  Agency  or  U  &  S 
Command  missions  and  functions; 

-  Privacy  —  The  data  or  applications  involve  personal  information 
requiring  protection  pursuant  to  the  Privacy  Act  of  197A  (DoD  Directive 
5400.7); 

-  FOIA  Exerotions  --  The  data  or  applications  (unclassified)  have 
been  determined  to  be  exempt  from  public  disclosure,  consistent  with  the 
requirements  of  the  F"eedom  of  Information  Act  (FOIA)  (Section  VI,  OoD 
Directive  5400 . 7 ) ; 

-  Automated  Decisionmaking  Systems  —  Applications,  not  otherwise 
included  in  the  foregoing,  which  issue  checks,  requisition  supplies  or 
perform  similar  assets  control  functions,  based  on  programmed  criteria 
with  little  human  intervention,  wherein  the  potential  loss  or  exploitable 
monetary  value  of  the  assets  handled  could  range  between  $1,000,000  and 
$10,000,000  per  year. 

ADP  III,  "Sottsensitive".  All  other  OoO  data  and  applications  which  do 
not  meet  the  criteria  for  categories  ADP  I  or  ADP  II  as  set  forth  above. 


S«uici^rlty  Cawaorlea  ~  (Figure  2) 


ADP  I.  "Carlclcal-Seaaiclye".  ADF  rysceas  sAeil  be  cacegorxzcd  as  AOP  I 
whea  cither  of  the  following  criteria  is  aet: 

-  ADP  I  Data  or  Aoplicatlona  '■>  The  AOP  syetaa  stores  or  processes 
one  or  aore  sets  of  data  or  applications  categorized  as  AOP  I,  "Critical- 
Sensitive,''  pursuant  to  the  criteria  herein;  or, 

-  Antoaated  Deciaionaakinz  Svateas  —  The  AOP  systea  handles  "auto- 
aated  dedsionaaking  systeas'.'  wherein  the  aggregate  total  potential  loss 
or  exploitable  aonetary  value  of  aaaeta  handled  collectively  by  the  AOP 
systea 's  autoaaced  decisonaaklng  systeas  applications  could  exceed 
$10,000,000  per  year. 

AOP  n.  'TToncritical-Senaitive'*-  AOP  systeas,  which  do  not  aeet  any  of 
the  foregoing  criteria  for  category  AOP  I,  shall  be  categorized  as  AOP 
II  when  either  of  the  following  criteria  is  aet: 

-  ADP  II  Data  or  Applications  The  ADP  systea  stores  or  processes 
one  or  aore  sets  of  data  or  applications  categorized  as  AOP  I;  or, 

-  Autoaated  Deciaionaakins  Systeas  --  The  AOP  systea  handles  "auto- 
aated  dedsionaaking  systeas"  wherein  the  aggregate  total  potential  loss 
or  exploitable  aonetary  value  of  assets  handled  collectively  by  the  AOP 
systea' a  autoaated  decisionaaking  systeas  applications  could  fall  between 
$1,000,000  and  $10,000,000  per  year. 

ADP  III,  "KonseMitive".  All  other  AOP  systeas  processing  OoD  data  or 
applxcations. 

Sensitivity  Catesodes  —  Personnel  Positions  (Flzure  3) 

ADP  I.  "Critical -Sensitive".  Posidons  of  personnel  requiring  access  to 
ADP  I  DoO  data  or  applications  OS  unescorted  access  to  an  ADP  I  ADP 
syatea(s) . 

ADP  II.  "Honcritical-Sensitive".  Posidons  of  personnel  requiring 
access  to  ADP  II  OoO  data  or  applications  OR  unescorted  access  to  an  AOP 
II  AOP  syscea(s). 

ADP  III,  "Wonsensidve".  Posidons  of  all  ocher  personnel  requiring 
access  to  OoD  data  or  applicadons  OR  requiring  unescorted  access  to  an 
AOP  systea  containing  OoO  data  or  applicadons. 

Now  when  we  link  Che  foregoing  to  the  systea  security  aede  concepts 
already  presented,  we  have  the  capability  to  ainiaize  personnel  security 
clearances  for  systeas,  based,  in  the  teras  of  this  seainar,  on  the 
relative  "truscedness"  of  Che  internal  systea  security  controls.  For 

exaaple: 


Adlustant*  for  Poticion  S€ii«ltiTiev  (UtaKOtiM  (Figure  4) 

1.  "Mttltileyel  and  Coattelled  Mode”  Systeme  —  The  positions  o£ 
ADP  System  Users  with  access  to  systeas  already  approved  to  operate  in 
either  the  "Controlled  Security  Hode"  or  the  'Thiltilevcl  Security  Mode” 
pursuant  to  OoO  Directive  S200.28  (or,  for  contractor  ADP  systems,  DoO 
Uanual  S220.22-if)  shall  be  designated  in  the  position  sensitivity  cate¬ 
gory  commensurate  with  the  most  sensitive  category  of  the  DoO  data  or 
application(s)  they  will  access  under  system  constraints. 

2.  "TemBorarilv  Dedicated"  Systems  —  The  positions  of  personnel 
with  access  to  ADP  systems  currently  operating  under  procedures  that 
effect  temporary  dedication  to  different  sensitivity  categories  at 
different  periods  of  time  (also  called  "color  changing"  or  "periods 
processing”)  shall  be  designated  in  the  sensitivity  category  commen¬ 
surate  with  the  moat  sensitive  category  of  DoO  data  or  application(s) 
contained  in  the  system  during  periods  of  each  individual's  access  to 
the  system.  In  resiotely  accessed  systems,  this  will  include  remote 
terminal  users  wherein  the  resMte  tetminal  is  disconnected  during  higher 
sensitivity  category  processing  periods. 

3.  "Output  Only*'  —  The  positions  of  ADP  System  User  personnel 
shall  be  designated  in  the  position  sensitivity  category  commensurate 
with  the  category  of  only  the  system  output  th^  actually  receive  when: 
(1)  such  personnel  do  not  it^ut  to  or  otherwise  directly  interact  with 
the  system  (|l.c.,  no  "hands  on"  or  other  direct  input  or  inquiry  capa¬ 
bility),  an^  (2)  the  output  products  are  either  reviewed  prior  to 
dissemlnatioh  or  otherwise  determined  to  be  properly  identified  as  to 
content,  intended  recipient  and  sensitivity  category  (i.e.,  systems 
approved  to  implement  this  option  pursuant  to  paragraph  IV.C.S.b.,  DoD 
Directive  S200.28  or  for  contractor  ADP  systems,  paragraph  108,  DoD 
Uanual  3220. 22-H). 

4.  "Technical  Review"  —  The  positions  of  personnel  who  design, 
develop  or  generate  OoO  data  or  applications,  or  who  generate  ii^ut  to 
an  ADP  system  containing  OoO  data  or  applications,  shall  be  designated 
in  a  less  sensitive  position  category  when  (1)  such  personnel  do  not 
have  access  to  ADP  systems  containing  higher  sensitivity  category  data 
or  applications,  and  (2)  when  the  product  or  input  generated  bv  such 
personnel  is  subject  to  "Technical  Review." 


The  most  important  consequence  of  the  foregoing  is  that  if  we  pursue 
this  concept  then  the  need  for  "trusted"  systems,  just  within  Defense, 
will  expand  from  potentially  ZTT,  of  our  inventory  (the  subset  that 
processes  classified  information)  of  general  purpose  ADP  systems  to 
1001%.  With  Defense  contractors,  the  requirement  is  expected  to  also 
increase,  although  there  is  no  basis  for  anticipating  spscific  numbers. 
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COMPTROLLER  GENERAL'S  AUTOMATED  SYSTEMS  SECURITY — 

REPORT  TO  THE  CONGRESS  FEDERAL  AGENCIES  SHOULD 

STRENGTHEN  SAFEGUARDS  OVER 
PERSONAL  AND  OTHER  SENSITIVE 
DATA 

DIGEST 

Federal  agencies  GAO  surveyed  did  not  have  a 
centrally  directed  program  to  protect  effec¬ 
tively  personal  and  other  sensitive  data  in 
computer  systems.  Programs  fell  short  of 
being  comprehensive  and  top  management  sup¬ 
port  was  lacking.  This  was,  in  part,  because 
upper  management  either  did  not  recognize  or 
adequately  appreciate  their  responsibilities 
in  this  area  or  recognize  the  potential  for 
invading  the  privacy  of  people  or  organiza¬ 
tions  served  by  the  agency  and  for  damage  to 
agency  program  operations. 

GAO  surveyed  selected  agencies  in  1977  because 
of  the  generally  high  level  of  congressional 
interest  in  Federal  information  policies 
following  the  enactment  of  the  Privacy  Act 
and  the  Freedom  of  Information  Act  Amendments 
in  1974.  Subsequently,  GAO  was  specifically 
requested  to  examine  and  report  on  the  status 
and  effectiveness  of  major  Federal  agencies' 
computer  security  programs  by  the  Chairman 
of  the  House  Subcommittee  on  Government 
Information  and  Individual  Rights,  House 
Committee  on  Government  Operations. 

( See  p .  1 . ) 

GAO'S  review  included  10  civil  agencies  but 
excluded  the  highly  specialized  area  of 
controls  over  national  security  classified 
data  in  Defense  agencies.  (See  p.  2.)  Many 
other  agencies  throughout  the  Government  are 
experiencing  to  varying  degrees  some  of  the 
same  weaknesses.  In  fact,  GAO's  review  further 
confirmed  automated  system  security  and  control 
problems  disclosed  in  many  prior  GAO  published 
reports.  (See  p.  3.) 
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In  a  larger  aenae,  theae  findinga  have  poten¬ 
tial  applicability  wherever  computers  are 
uaed  intensively.  This  is  because  o£  the 
pervasiveness  of  the  underlying  causes  of 
poor  data  security.  Modern  computer  based 
information  systems  represent  relatively 
recent  technology  that  has  introduced  many 
new  threats  adding  to  management  problems 
of  maintaining  data  at  acceptable  levels  of 
integrity  and  security.  (See  pp.  7  and  8.) 

WEAKNESSES  IN  AGENCY  PROGRAMS 
FOR  COMPUTER  SECURITY 

GAO  focused  on  weaknesses  in  the  agencies' 
systems  of  management  controls^  including 
appropriate  organizations,  monitoring  and 
reporting,  use  of  risk  analysis,  and  use  of 
independent  internal  audits.  (See  pp.  10 
27,  and  47.) 

Particular  attention  was  given  to  the  degree 
of  agencies '  efforts  to  organize  and  implement 
broadly  conceived  programs  of  data  security 
in  compliance  with  the  Office  of  Management 
and  Budget  (0MB)  directives  and  related  com¬ 
puter  security  guidance  published  by  the 
National  Bureau  of  Standards,  Department  of 
Commerce.  (See  p.  10.) 

Although  all  agencies  reviewed  had  some 
elements  of  a  computer  security  program  in 
varying  stages  of  being,  they  lacked  the 
management  support  needed  to  be  truly 
comprehensive.  (See  p.  10.) 

Security  programs  usually  were  not  developed 
from  the  perspective  of  the  total  data 
system;  consequently,  any  weak  link  could 
result  in  ineffective  security.  For 
example,  the  scope  of  most  security  programs 
did  not  cover  data  in  all  media  and  in  all 
stages  of  the  data  life  cycle  nor  did  they 
consider  all  possible  threats  at  all  loca¬ 
tions  involved  with  the  agencies'  data. 
Additionally,  many  programs  did  not  have 
written  plans,  policies,  and  procedures. 

(See  p.  11.) 
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Also,  aanageraent  generally  did  not  place  the 
computer  security  function  at  a  sufficiently 
high  level,  with  independence  from  operating 
functions,  to  preclude  preemption  by  opera¬ 
tional  priorities.  Thus,  authority  to  rec¬ 
ommend  and  enforce  security  measures  was 
seriously  lacking.  Agencies  did  not  estab¬ 
lish  clear  responsibilities  of  individuals 
and  organizations.  (See  p.  14.) 

Management  generally  was  giving  inadequate 
attention  to.  monitoring  the  aspects  of  com¬ 
puter  security  in  their  organizations  to  be 
sufficiently  informed  on  how  their  security 
measures  were  working.  Management  was  not 
receiving  the  feedback  necessary  for  control 
of  computer  data  security.  (See  p.  20.) 

Agencies  usually  had  selected  computer  systems 
safeguards  intuitively  rather  than  on  a  cost- 
effectiveness  determination  which  would  take 
into  account  the  degree  of  sensitivity  and 
vulnerability  of  the  information  to  be  pro¬ 
tected.  This  risk  management  concept,  which 
should  be  applied  in  all  determinations  to 
select  economically  feasible  safeguards  con¬ 
sidering  the  particular  environment  where  the 
data  is  processed,  was  generally  not  employed. 
(See  p.  27.) 

Security  programs  should  but  usually  did 
not  address  all  of  the  necessary  elements 
of  technical,  administrative,  and  physical 
safeguards.  In  many  cases,  attention  had 
been  given  by  technicians  and  lower  and 
middle  level  managers  to  the  obvious  and 
traditional  safeguards.  However,  safeguard 
protection  that  required  upper  level  manage¬ 
ment  and  administration  were  neglected. 

(See  p.  30.) 

INTERNAL  AUDIT 

At  a  time  of  increasing  reliance  on  computers 
and  rapidly  advancing  automated  data  proc¬ 
essing  technology,  internal  audit  can  be  a 
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vital  resource  for  keeping  management  in¬ 
formed  on  data  security  requirements  and 
how  well  these  responsibilities  are  being 
met.  However »  at  the  agencies  surveyed, 
independent  internal  audit  generally  was 
not  significantly  Involved  in  assessing 
computer  based  systems  controls  or  con¬ 
ducting  more  conventional  security  compli¬ 
ance  audits. 

Agency  internal  audit  was  not  significantly 
involved  in  computer  security  because  of  a 
lack  of  technical  expertise.  Discussions 
with  Internal  Audit  officials  revealed  that 
the  expertise  needed  to  challenge  security 
shortcomings  has  not  been  developed  because 
top  management  has  not  tasked  internal  audit 
in  a  computer  security  role.  (See  p.  47.) 

0MB 's  GUIDANCE  TO  AGENCIES 

Although  0MB  has  stressed  that  data  security 
and  integrity  are  the  responsibilities  of 
the  heads  of  departments  and  agencies,  GAO 
found  that  agencies  did  not  take  the  initia¬ 
tive  to  meet  these  responsibilities. 

0MB 's  policy  guidance  and  technical  guidance 
provided  by  the  National  Bureau  of  Standards 
was  largely  ignored  and  not  used  to  advantage. 
Consequently,  the  agency  security  programs  did 
^  not  reflect  the  intent  of  this  guidance. 

CONCLUSIONS 

0MB  issued  Circular  A-71,  TM-1 — on  Security  of 
Federal  Automated  Information  Systems — after 
completion  of  this  review.  The  circular  re¬ 
quires  action  by  agency  top  managers  which 
could  contribute  greatly  to  correcting  many  of 
the  computer  data  security  problems  addressed 
in  the  GAO  report.  The  circular  is  directive. 
It  is  also  quite  comprehensive.  It  requires 
agency  heads  to  report  on  their  plans  to 
to  comply.  (See  p.  23.) 
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Specifically,  the  circular  promulgates 
policies  and  responsibilities  for  the 
development  and  implementation  of  computer 
security  programs  by  all  executive  depart¬ 
ments  and  agencies:  It  further  addresses 
the  general  requirement  for  agencies  to 
implement  a  computer  security  program;  it 
establishes  specific  requirements  for  the 
development  of  management  controls  to 
safeguard  personal,  proprietary  and  other 
sensitive  data  in  automated  systems;  and 
it  defines  a  minimum  set  of  technical 
controls  to  be  incorporated  into  each 
agency  computer  security  program.  (See 
app.  IV.)  Therefore,  it  sets  an  appro¬ 
priate  framework  for  agencies'  initiatives 
to  correct  their  data  security  problems. 

RECOMMENDATION  TO  0MB 

GAO  views  a  leadership  role  by  0MB  as  vital 
to  maintaining  the  momentum  that  Circular 
A-71  should  impart  to  computer  security  in 
Federal  agencies.  GAO  is  concerned  that 
agencies  may  lose  sight  of  the  stated  pur¬ 
pose  of  the  directive,  i.e.,  that  agencies 
develop  and  implement  computer  security 
programs  with  a  scope  to  protect  personal, 
proprietary  and  other  sensitive  data.  The 
circular  further  addresses  certain  specific 
technical  requirements.  Accordingly,  GAO 
sees  a  critical  need  for  OMB  to  follow  up 
on  the  circular's  requirement  that  agencies 
prepare  and  submit  plans  for  compliance. 

(See  p.  23.) 

The  Director  of  OMB  should  arrange  for  inde¬ 
pendent  reviews  by  persons  knowledgeable  in 
computer  security  of  the  plans  of  departments 
and  agencies  responding  to  Circular  A-71. 

OMB  should  critique  agencies  on  the  adequacy 
of  their  plans  for  computer  security  using 
the  findings  and  recommendations  to  heads  of 
agencies  contained  in  this  report  as  well  as 
the  requirements  set  forth  in  Circular  A-71. 
(See  p.  23.) 
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RECOMMENDATIONS  TO  HEADS 
OF  FEDERAL  AGENCIES 


All  agencies  should  strengthen  their  computer 
data  security  and  integrity,  highlighted  as 
£o] lows . 

— Computer  security  programs  should  be 
comprehensive.  They  should  include 
plans,  policies,  and  procedures  in 
writing  that  clearly  establish  respon¬ 
sibilities  throughout  the  organization. 

(See  p.  25. ) 

— Agencies  should  establish  a  computer 
security  administration  function  with 
independence  from  computer  operations. 

This  organization  should  report  directly 
to  or  through  a  principal  official  who 
reports  directly  to  the  agency  head. 

(See  p.  24.) 

— Programs  should  provide  for  feedback 
for  management  control,  both  in  routine 
monitoring  and  reporting  and  in  inde¬ 
pendent  internal  audits.  (See  pp.  25 
and  52.) 

—Risk  management  should  be  provided 
for  and  should  be  on  the  perspective 
of  the  total  data  systems.  (See  p.  4^.') 

— Security  planning  should  anticipate 
training  needs,  particularly  for  risk 
management.  (See  pp.  25,  46,  and  52.) 

0MB 's  COMMENTS 

0MB  representatives  indicated  that  GAO's  exam¬ 
ination  of  the  status  and  effectiveness  of 
computer  system  security  programs  provided 
information  and  recommendations  which  would  be 
used  and  followed  up  in  their  own  assessments 
of  Federal  agencies'  plans  to  comply  with  their 
Circular  A-71  and  other  requirements. 
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0MB  is  placing  a  high  priority  on  efforts 
over  the  coming  year  to  improving  security 
programs  in  agencies  and  has  organized  a 
task  force  to  accomplish  reviews  of  agencies' 
plans.  This  effort  is  coupled  with  OMB's 
broader  concerns  for  improving  controls  in 
agencies  over  fraud  and  abuse.  0MB  indi¬ 
cated  that  attention  by  agencies'  inspector 
general  functions  will  be  focused  on  cor¬ 
recting  these  matters  in  recognition  that 
they  are  important  responsibilities  of 
agency  and  department  heads. 

0MB  expressed  some  concern  that  GAO's  recom¬ 
mendation  for  organizing  a  highly  placed 
computer  security  administration  as  a  staff 
function,  independent  from  computer  opera¬ 
tions,  might  cause  difficulty  with  the  agency 
head's  span  of  control.  That  is,  too  many 
functions  are  now  competing  for  top-level 
attention  and  this  would  add  one  more.  GAO 
intends  its  recommendation  to  be  sufficiently 
broad  to  allow  each  agency  maximum  flexibility 
in  its  implementation  in  a  wide  variety  of 
agency  organizations. 

GAO  agrees  with  0MB  that  elements  of  this 
security  function  such  as  monitoring,  in¬ 
spection,  and  audit  could  be  placed  under 
the  inspector  general  function.  But  GAO  sees 
the  need  for  identification  of  a  focal  point 
at  a  high  level,  independent  from  responsi¬ 
bility  for  computer  operations,  to  develop 
and  oversee  an  automated  systems  security 
program.  The  security  program  itself  should 
be  promulgated  by  a  directive  and  guidance 
issued  by  the  agency  head.  (See  p.  24.) 
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